Cheatsheet

ls

  • List only directories: ls -l /etc | grep '^d'
  • List only files: ls -l /etc | grep -v '^d'

dig

  • Installation: yum install bind-utils
  • Dig uses DNS servers defined in /etc/resolv.conf by default
  • Default options: vi $HOME/.digrc
  • Query A records: dig corneschi.ro
  • Query authoritative nameservers: dig corneschi.ro ns
  • Query MX Records: dig corneschi.ro mx
  • Query everything: dig corneschi.ro any
  • Query SOA: dig +multiline corneschi.ro soa
  • Query a different nameserver: dig @ns1.he.net corneschi.ro
  • DNS reverse look-up: dig -x 192.30.252.153
  • Hierarchical steps for the query:dig +trace corneschi.ro
  • Perform zone transfer (for security reasons most of the DNS servers will deny this query): dig corneschi.ro axfr
  • Display the SOA record from all authoritative nameservers: dig corneschi.ro +nssearch
  • Use search list defined in resolv.conf: dig ftp +search
  • Bulk query: dig -f dns_list

host

  • Display the SOA records for zone from all authoritative name servers: host -C corneschi.ro
  • Perform a zone transfer for zone name: host -a -l corneschi.ro
  • Display NS, MX, SOA for zone name: host -t [mx|ns|soa] corneschi.ro

Minor & major faults

  • Top 10 minor faults: ps -eo min_flt,cmd | grep -v MINFL | sort -rnk 1,1 | head
  • Top 10 major faults: ps -eo mamaj_flt,cmd | grep -v MAJFL | sort -rnk 1,1 | head
  • Sort major faults on RHEL 5/6: top --> shift + o --> u
  • Sort major or minor faults on RHEL 7: top --> f --> mark nMaj or nMin --> s
  • Number of page faults (major + minor) + Number of major faults made by the system per second: sar -B 1
  • See the page faults that are generated by an executable (yum install time, type -a time): /usr/bin/time -f "(%Fmajor %Rminor)pagefaults" ls /etc/passwd

processes

  • List number of open file descriptors by process: ls -d /proc/[1-9]*/fd/* 2>/dev/null | sed 's/\/fd.*$//' | uniq -c | sort -rn | head
  • Display running processes: ps -eo state,pid,cmd | grep ^R
  • Display "D" state processes: ps -eo state,pid,cmd | grep ^D
  • List the number of processes by state: ps -e h -o stat | sort | uniq -c | sort -rn
  • Load average (Linux): ps -eLo state,pid,cmd | grep -E '^D|^R'
  • Load average (Solaris): ps -elf | awk '$2 ~/O/ || $2 ~/R/'
  • Top 10 processes by RSS: ps -e -o pid,comm,pmem,rss --sort -rss | head
  • Top 10 processes by CPU: ps -eo %cpu,pid,user,cmd --sort=-%cpu | head or top -b -n1 |sed -n '7,17'p
  • Sort apache processes by RSS: ps -ylC httpd --sort:rss
  • Count the number of processes by user: ps -ef | awk '{print $1}' | sort | uniq -c | sort -rn
  • Count the number of different process states: ps -e -o stat | sort | uniq -c | sort -rn
  • Display processor that processes are currently assigned to (PSR column): ps -eF
  • Display zombie processes: ps -e -o stat,cmd | awk '{if ($1 ~/Z/) print}'
  • Watch for "D" processes for one minute:

for i in `seq 1 60`; do ps -eo state,pid,cmd | grep "^D"; echo "--- $i ---"; sleep 1; done or

watch -n 1 "(ps aux | awk '\$8 ~ /D/ { print \$0 }')"

  • Find the process ID of a running program: pidof httpd

shutdown

  • Poweroff the system at 20:00: shutdown 20:00 &
  • Reboot the system now: shutdown -r now
  • Reboot the system in 10 minutes: shutdown -r +10 &
  • Halt or power off after shutdown: shutdown -h now
  • Cancel a running shutdown: shutdown -c
  • Only send warnings, don't shutdown: shutdown -k +5

nscd

  • Print current configuration statistics: nscd -g
  • Invalidate the specified cache: nscd -i passwd | hosts | group
  • View the configuration file: cat /etc/nscd.conf
  • Debug mode: /etc/init.d/nscd stop && nslcd -d > nslcd.debug.log 2>&1
  • Check which names are stored in the host database: strings /var/db/nscd/hosts | grep -P '[\w-]+\.\w+'
  • The location of DB files: ls -l /var/db/nscd

IO scheduler

  • View the current device I/O scheduler: cat /sys/block/<disk>/queue/scheduler
  • Change the current device I/O scheduler: echo "deadline" > /sys/block/<disk>/queue/scheduler
  • Enabling the deadline io scheduler at boot time:

vi /etc/grub.conf

add elevator=deadline to the end of the kernel line

postfix

  • Displays the values of main.cf configuration parameters: postconf
  • Show only configuration parameters that have explicit name=value settings in main.cf: postconf -n
  • Display the queue: mailq or postqueue -p
  • Delete a message from the queue: postsuper -d DFF553FE6A
  • Delete all messages from queue: postsuper -d ALL
  • Warn about bad directory/file ownership or permissions and create missing directories: postfix check
  • Force delivery (attempt to deliver every message in the deferred mail queue): postfix flush
  • Flush the queue (attempt to deliver all queued mail): postqueue -f
  • Produce a traditional sendmail-style queue listing: postqueue -p or mailq
  • Requeue the message with the named queue ID: postsuper -r <queue_id>
  • Requeue multiple messages: postsuper -r ALL

tar

  • Create an uncompressed tar archive: tar cvf home.tar /home
  • Create a gzipped archive (tar cjvf for bzip2): tar czvf home.tar.gz /home
  • Create a gzipped archive and include just a directory from a tree: tar -C /home -czvf home-daniel.tar.gz daniel
  • Create a bzip2 archive: tar cjvf home.tar.bz2 /home
  • Create a gzipped archive with absolute names: tar czPvf home.tar.gz /home
  • Create a gzipped archive for a specific day: tar czvf home-$(date +%Y%m%d).tar.gz /home
  • Extract an uncompressed tar archive (current dir): tar xvf home.tar
  • Extract a gzipped archive (current dir): tar zxvf home.tar.gz
  • Extract a bzip2 archive (current dir): tar xjvf home.tar.bz2
  • Extract a gzipped archive in the original location (required even if the archive was created with absolute names):
cd /
tar zxvf home.tar.gz

or

tar zxvf home.tar.gz -C /
  • Extract a gzipped archive in the original location (created with absolute names): tar zPxvf home.tar.gz
  • Extract a directory from a gzipped archive: tar zxvf home.tar.gz home/daniel --strip-components=1
  • Extract a file from a gzipped archive (with the dir structure): tar zxvf home.tar.gz home/dcorneschi/.ssh/authorized_keys
  • Extract a file from a gzipped archive (just the file): tar zxvf home.tar.gz home/dcorneschi/.ssh/authorized_keys --strip-components=3
  • List an uncompressed tar archive: tar tvf home.tar
  • List a gzipped archive: tar tzvf home.tar.gz
  • List a bzip2 archive: tar tjvf home.tar.bz2
  • Add a file and a directory to a uncompressed tar archive (not possible for gzip or bzip2 archives): tar rvf home.tar /tmp /etc/fstab
  • Add a directory for a gzipped archive (workaround):
gzip -d home.tar.gz
tar rvf home.tar /etc
gzip home.tar
  • Estimate the size of the gzipped archive: tar -czf - /home | wc -c
  • Find the difference between a gzipped archive and the filesystem: tar dzf home.tar.gz -C /
  • Remote backup: tar czvf - /home | ssh root@192.168.1.22 "cat > /root/server_name-home.tar.gz"
  • Restore backup from the target system: ssh root@192.168.1.22 "cat /root/server_name-home.tar.gz" | tar zxvf - -C /

lsof

  • Lists all open files belonging to all active processes: lsof
  • List all files for the user whose login names: lsof -u apache
  • List all files for processes executing the command that begins with the characters "mon": lsof -c mon
  • List all open network files: lsof -i
  • List all "LISTEN" connections: lsof -i | grep LISTEN
  • List only TCP or UDP network files: lsof -i TCP or lsof -i UDP
  • List open network files for port 80: lsof -i:80
  • List open network files associated with host name: lsof -i @192.168.1.23
  • List open network files associated with a PID: lsof -p 1234
  • List NFS files: lsof -N
  • List deleted files but files are still opened: lsof +L1 /tmp
  • Total size of all deleted files: lsof | awk '/deleted/ {sum+=$7} END {print sum}'

fuser

  • Identify all processes using a filesystem: fuser -vm /var
  • List all processes that are using port 80: fuser -vn tcp 80
  • Kill processes accessing the filesystem: fuser -km /home

mail

  • Send the content of a file: mail -s "Subject" username@email.com < /etc/fstab

ulimit

  • Display the configuration file: /etc/security/limits.conf or /etc/security/limits.d
  • All current limits are reported: ulimit -a
  • Display the soft limits: ulimit -aS
  • Display the hard limits: ulimit -aH
  • The maximum number of processes (+threads) available: ulimit -Su
  • Increase the maximum number of processes available: ulimit -u 5000

sysctl

  • Display the configuration file: cat /etc/sysctl.conf
  • Display the value of the variable: sysctl <variable>
  • Display all values currently available: sysctl -a
  • Change a sysctl setting: sysctl -w <variable>
  • Load in sysctl settings from/etc/sysctl.conf: sysctl -p

rpm

  • Install a rpm package: rpm -ihv httpd-2.2.15-60.el6.centos.6.x86_64.rpm
  • Install the packages even if is already installed on this system: rpm -ihv --replacepkgs httpd-2.2.15-60.el6.centos.6.x86_64.rpm
  • Install the package even if it replace files from other, already installed package: rpm -ihv --replacefiles httpd-2.2.15-60.el6.centos.6.x86_64.rpm
  • Don’t do a dependency check before installing or upgrading a package: rpm -ihv --nodeps httpd-2.2.15-60.el6.centos.6.x86_64.rpm
  • Update a rpm (it will be installed if it's not installed): rpm -Uhv httpd-2.2.15-60.el6.centos.6.x86_64.rpm
  • Allow an upgrade to replace a newer package with an older one: rpm -Uhv --oldpackage httpd-2.2.15-60.el6.centos.6.x86_64.rpm
  • Uninstall a package: rpm -e httpd
  • Check if a package is already installed: rpm -q httpd
  • List all packages installed: rpm -qa
  • List files in package: rpm -ql httpd
  • List files in package not installed: rpm -qpl /tmp/httpd-2.2.15-60.el6.centos.6.x86_64.rpm
  • List the package owning httpd.conf file: rpm -qf /etc/httpd/conf/httpd.conf
  • List only configuration files: rpm -qc httpd
  • List only documentation files: rpm -qd httpd
  • Display package information, including name, version, and description: rpm -qi httpd
  • List capabilities on which this package depends: rpm -qpR /tmp/httpd-2.2.15-60.el6.centos.6.x86_64.rpm
  • Compares information about the installed files in the package with metadata stored in the rpm database: rpm -V httpd
  • Verify all packages installed: rpm -Va
  • List packages with the group: rpm -qg "Applications/System"
  • Compile a src.rpm package (yum install rpm-build): rpmbuild --rebuild filename.src.rpm
  • List the package specific scriptlet(s) that are used as part of the installation and uninstallation processes: rpm -q --scripts kernel
  • List the scripts for all packages: rpm -qa --queryformat "\n\nPACKAGE: %{name}\n" --scripts

find

Use 2> /dev/null for skip the files in /proc

  • Find a specific file name (-iname for case insensitive): find / -name fstab
  • Find empty files: find / -depth -type f -empty
  • Find empty directories: find / -depth -type d -empty
  • Find files with specific extensions: find / -name *.rpmsave
  • Find files which have been modified in the last 24 hours: find /etc -mtime 0
  • Find files which have been accessed in the last 24 hours: find /home -atime 0
  • Find files owned by user daniel: find / -user daniel
  • Find files owned by user and group daniel: find / -user daniel -group daniel
  • Find files owned by users daniel and nicoleta: find / -user daniel -o -user nicoleta
  • Find multiples files: find . -type f \( -name daniel -o -name nicoleta -o -name pisu \) -exec ls -l {} \;
  • Find unowned files: find / -nouser -o -nogroup
  • Find files modified 1 minute ago: find /etc -mmin 1
  • Find files modified less than 30 minutes ago: find /etc -mmin -30
  • Find files modified between minute 6 and 9: find /etc -mmin +5 -mmin -10
  • Find all files with 755: find / -type f -perm 755
  • Find all directories with 755: find / -type d -perm 755
  • Find files with write permissions for "others": find /etc -type f -perm /002
  • Find directories with write permissions for "others": find /etc -type d -perm /002
  • Find all SUID binaries: find / -perm +4000
  • Find all SGID binaries: find / -perm +2000
  • Find files with 868 bytes in size: find / -size 868c
  • Find files which are less than than 1024 in size: find /etc -size -1024k
  • Find files which are more than 1 MB in size: find /etc -size +1M
  • Gzip all specific files: find . -type f \( -name daniel* -o -name nicoleta* -o -name pisu* \) -exec gzip {} \;
  • Delete the specific files: find . -type f \( -name daniel* -o -name nicoleta* -o -name pisu* \) -delete
  • Combine multiple exec: find . -type f \( -name daniel* -o -name nicoleta* -o -name pisu* \) -exec ls -l {} \; -exec chown root {} \; -exec chmod 700 {} \;

mkfs

The amount of inodes available on a system is decided upon creation of the partition. For instance, a default partition of EXT3/EXT4 has a bytes-per-inode ratio of one inode every 16384 bytes (16 Kb). Every inode consumes 256 bytes (may be configured as 128).

  • Format a disk with one of the fs type from /etc/mke2fs.conf

mkfs.ext4 -T <usage-type> /dev/sda

  • Find out the number of inodes for a file system: tune2fs -l /dev/VolGroup/lv_root | grep "Inode count" or dumpe2fs /dev/VolGroup/lv_root | grep "Inode count"

locate

  • Create or updates a database used by locate: updatedb
  • Find a file by name: locate fstab
  • Ignore case when matching patterns: locate -i <patern>
  • Find the files ending in "/sbin" : locate -r /sbin$
  • Find the files that starts with "/etc/sysconfig/network" : locate -r ^/etc/sysconfig/network
  • Find the file that have .ps extension : locate \*.ps
  • Check if the file is still present on the server: locate -e fstab
  • Display only the first 3 results: locate -n 3 fstab

at

  • Run a command in 1 minute: echo "ping -c 10 www.google.com > ping.out" | at now + 1 minute
  • Run a command at 05:24 and send an email with the output: echo "ping -c 10 www.google.com" | at -m 05:24 today
  • Schedule a script: echo "sh /root/script.sh > /root/script.out" | at 2:00 AM Mar 25
  • List the scheduled jobs :at -l or atq
  • Remove scheduled job: atrm 6 or at -d 6
  • Check the content of scheduled job: at -c 18

Links