Fundamentals
📝 Author
Birat Aryal — birataryal.github.io
Created Date: 2026-03-22
Updated Date: Sunday 22nd March 2026 14:21:04
Website - birataryal.com.np
Repository - Birat Aryal
LinkedIn - Birat Aryal
DevSecOps Engineer | System Engineer | Cyber Security Analyst | Network Engineer
The basic set of commands or the mindset that you must have for the embedded into you muscle memory, so that it would be useful in case of any issues or troubleshooting the issues or concerns raised on any of the environment.
Boot Process
Directory Structure
| Directory | Used For |
|---|---|
/etc |
Storing the configurations of the services installed. |
/var |
Storing the logs of the services or the system. |
/home |
Home directory of the new users created |
/usr |
Storing the user's application, libraries, documentations and binaries for all users |
/bin |
Store the executable for the basic system operations |
/opt |
Installing the additional custom applications |
/tmp |
World writeable directory created by the systems and application. Would clear the files inside this directory after reboot. |
In cloud environment the logs that are generated inside /var/log are shipped to CloudWatch Logs |
|
| ## Users, Groups, Permissions |
Most general commands used for the user and group manipulation in Linux are:
chmod chown usermod useradd groupadd
For creating a system user whose id is less than 1000, we could:
usermod -r -s /bin/bash birat
This would create a system user birat like that of mysql, nginx, tomcat, wildfly, docker, kubeadm and such.
| Linux | AWS |
|---|---|
| User | IAM User |
| Group | IAM Group |
| Permission | IAM Policy |
| Root | AWS root |
In AWS IAM are collections of individual users used to simplify the permission management by attaching policies which is created in json format by defining the allowed actions (e.g. read-only, admin) to the group rather than individual users. Users could belong to the multiple group, and would inherit all the permissions.
E.g.: AM policy if the user belongs to multiple groups like: One group is admin with full access to aws resources across all regions and another group has read only access to limited resources like: ec2, s3 in us-east1 then the user would have full admin privilege across all region
E.g: Only Use explicit deny for the guardrails only. like: 1. Restrict regions change and deploy/build resources across other regions. 2. Prevent deletion of the resources
IAM Decision Order
Explicit Deny -> Highest priority Explicit Allow -> Evaluated only if no deny Default Deny -> Fallback
Process, threads, signals
Process
- A single running instance of a program
- Uses memory space and seperate cgroups and namespace
- Has file Decriptors
Threads
- Its a light weight execution of a process.
- Single process would have multiple threads
- They share the same namespace as that of process
- They share the memory with other threads spawned from the process
Signals
- Its a notification mechanism that is sent to a process
- They tell the process about shutting down the process.
Notifications and its meanings:
| Signal | Meaning |
|---|---|
SIGTERM |
fracefull shutdown |
SIGKILL |
force kill |
SIGHUP |
reload configurations |
| #### Key Differences |
| Feature | Process | Thread | Signal |
|---|---|---|---|
| Type | Execution unit | Sub-unit | Control mechanism |
| Memory | Isolated | Shared | No memory |
| Communication | IPC | shared memory | async event |
| Creation cost | High | Low | Very low |
| Example | nginx | worker thread | kill command |
Systemd and service lifecycle
Systemd
Its the service and system management software which would initialize the system, manages services and control the system resources from startup time and runtime. Systemd replaces the init system with new systemd as it is faster than init.d. This is the first process that is started in the system with PID 1
Commands and Details of Systemd
| Command | Used for |
|---|---|
systemctl --version |
Checking version of systemd |
systemctl --list-units |
List all the systemd services loaded and running on the system |
systemctl isolate graphical.target |
Switch to the graphical interface. Could use same concept to troubleshoot any stage |
systemctl edit servicename |
Edit the systemd service file. |
systemctl daemon-reload |
To refresh the configuration that is changed on the service file. |
systemctl start/stop/status servicename |
To get the status of the service that is running on the system. |
journalctl -xeu servicename |
To view the logs of the service that ran |
journalctl -u servicename --since "since 30 minutes ago" |
shows logs of the systemd service of last 30 minutes. |
journalctl -u servicename -p err --since "since n minutes ago" |
Shows only error message of the service of last n minutes |
| #### Systemd Service inside AWS |
| Service Name | Used for |
|---|---|
cloud-init |
Running user data and assigning IP to the new instance. Configure instance on first boot. |
amazon-ssm-agent |
automation and patching the aws instance incase of any issues. Its equivalent to vmware tools but for AWS. It does not use SSH access. |
amazon-cloudwatch-agent |
This service sends the logs on /var/logs to CloudWatch |