Essential Linux Commands Every DEVOPS Engineer Should Know Part2

Updated: March 27, 2026

TL;DR

Network diagnostics with ss (replaces netstat), ip, curl, and dig; container debugging via docker exec and kubectl exec; real-time monitoring with htop and btop; and eBPF-based observability tools for deep system insight.

Building on Part 1's file and permission commands, Part 2 dives into the commands DevOps engineers use daily for troubleshooting, monitoring, and container operations. In 2026, as containerized workloads dominate infrastructure, understanding both traditional network commands and modern container debugging tools is essential. This section covers the networking toolkit, system monitoring commands, and container-specific operations that separate experienced DevOps engineers from beginners.

Network Diagnostics: The Modern Toolkit

The old ifconfig and netstat commands are deprecated in favor of the ip and ss commands, which provide more information and work across all modern Linux distributions.

IP Configuration (replaces ifconfig):

# Old way: ifconfig
ifconfig                        # Display all interfaces (deprecated)

# Modern replacement: ip
ip addr show                    # Show all IP addresses
ip addr show eth0               # Show specific interface
ip link set eth0 up             # Bring interface up
ip link set eth0 down           # Bring interface down
ip route show                   # Show routing table
ip route add 192.168.0.0/24 via 10.0.0.1  # Add static route

The ip command is faster, more powerful, and now standard across all Linux distributions. Use it for all interface configuration tasks.

Network Connections (replaces netstat):

# Old way: netstat (deprecated, slow on large systems)
netstat -tlnp                   # Show listening ports

# Modern replacement: ss (socket statistics)
ss -tlnp                        # Show listening ports (TCP, listening, numeric, program)
ss -tlnpu                       # Include UDP sockets
ss -atnepo                      # Show all connections with extended info
ss -anr | grep ESTABLISHED      # Show established connections
ss -k dst 192.168.1.100         # Kill connections to specific IP (advanced)

The ss command is built directly into the kernel's netlink interface, making it far faster than netstat — crucial when debugging connection issues on systems with thousands of open sockets.

Understanding ss flags:

-t: TCP sockets
-u: UDP sockets
-l: Listening sockets only
-a: All sockets
-n: Show numeric addresses (don't resolve hostnames)
-p: Show process name/PID
-e: Extended information
-o: Timer information

DNS Resolution (dig):

dig example.com                 # Full DNS query
dig example.com +short          # Short answer only
dig example.com MX              # Mail server records
dig @8.8.8.8 example.com        # Query specific nameserver
dig example.com +trace          # Trace entire DNS path
nslookup example.com            # Alternative (older but still useful)

When Kubernetes service discovery fails or DNS resolution breaks, dig provides detailed debugging information showing exact DNS responses.

Testing HTTP Connectivity:

curl https://example.com                    # Simple GET request
curl -I https://example.com                 # Headers only (useful for status codes)
curl -X POST -d '{"key":"value"}' https://example.com  # POST with JSON
curl -H "Authorization: Bearer TOKEN" https://example.com  # Custom headers
curl --resolve example.com:443:192.168.1.100 https://example.com  # Override DNS
curl -w "%{http_code}\n" -o /dev/null https://example.com  # Check status code only

For API debugging and quick connectivity tests, curl is indispensable in DevOps work.

Container Debugging Commands

Docker Debugging

docker ps                       # List running containers
docker ps -a                    # List all containers (including stopped)
docker logs <container_id>      # View container output
docker logs -f <container_id>   # Follow logs in real-time
docker exec -it <container_id> /bin/bash  # Open shell in running container
docker exec <container_id> cat /etc/hosts  # Run command without interactive shell
docker inspect <container_id>   # View detailed container configuration
docker top <container_id>       # View running processes inside container
docker stats                    # Real-time resource usage (memory, CPU)
docker network ls               # List networks
docker network inspect <network>  # Inspect specific network

The docker exec -it combination is critical for debugging application issues without rebuilding containers. The -i flag keeps stdin open, and -t allocates a pseudo-terminal.

Kubernetes Debugging

kubectl exec -it <pod> -- /bin/bash      # Open shell in pod
kubectl exec <pod> -- cat /var/log/app   # Run command in pod
kubectl logs <pod>                       # View pod logs
kubectl logs -f <pod>                    # Follow pod logs
kubectl logs <pod> -c <container>        # Logs from specific container
kubectl logs <pod> --tail=50              # Last 50 lines
kubectl describe pod <pod>               # Detailed pod information
kubectl get events -n <namespace>        # Recent events in namespace
kubectl top pod <pod>                    # Resource usage for pod
kubectl port-forward <pod> 8080:8080     # Forward local port to pod
kubectl cp <pod>:/path/to/file ./local   # Copy file from pod

When a Kubernetes pod crashes or behaves unexpectedly, kubectl logs and kubectl exec are your first debugging tools. The --tail flag is useful to avoid overwhelming output from long-running containers.

Container Runtime (crictl)

For systems using container runtimes like containerd (common in Kubernetes), use crictl:

crictl ps                       # List running containers
crictl logs <container_id>      # View container logs
crictl exec -it <container_id> /bin/bash  # Shell into container
crictl inspect <container_id>   # Container details
crictl images                   # List pulled images

crictl is essential on Kubernetes nodes where Docker may not be installed but containerd is.

System Monitoring and Performance

htop (Interactive Process Monitor)

htop                            # Interactive process list
htop -p <pid>                   # Monitor specific process
htop -u <username>              # Monitor specific user's processes
# Within htop: press F6 to sort by different columns (CPU, memory, etc.)

htop is far superior to top, providing color-coded output, better sorting, and an interactive interface.

btop (Modern Resource Monitor)

btop                            # Full system resource overview
# Shows: CPU, memory, disks, network, processes
# Interactive: sort by column, search processes, kill processes

btop is a modern reimplementation of top and htop with a graphical terminal interface showing CPU, memory, disk, and network in one view.

Disk I/O Monitoring

iotop                           # Real-time disk I/O by process
iotop -o                        # Only show processes doing I/O
iotop -b                        # Batch mode (non-interactive output)
iostat -x 1                     # Extended I/O statistics, refresh every 1 second
dstat                           # Combined resource monitoring (CPU, disk, network)
dstat -cd --disk-util           # Disk utilization summary

When experiencing disk I/O bottlenecks, iotop immediately shows which processes are accessing disk heavily.

Network Traffic Monitoring

nethogs                         # Bandwidth usage by process
nethogs -r                      # Reverse sorting (highest bandwidth first)
iftop                           # Live network bandwidth by host
iftop -P                        # Show ports
nload                           # Simple bandwidth graph

nethogs shows which application is consuming bandwidth — critical for identifying noisy neighbors in shared infrastructure.

Memory Analysis

free -h                         # Human-readable memory usage
free -h -s 2                    # Refresh every 2 seconds
ps aux --sort=-%mem | head -10  # Top 10 memory-consuming processes
pmap -x <pid>                   # Memory map of specific process
smem -s swap -sk -r             # Summary of system memory (installed: `sudo pip install smem`)

eBPF-Based Observability Tools

eBPF (extended Berkeley Packet Filter) allows running secure kernel programs without recompilation. Several modern tools use eBPF for deep system observability:

tcpdump (packet capture):

tcpdump -i eth0                 # Capture all traffic on eth0
tcpdump -i eth0 port 80         # Capture HTTP traffic
tcpdump -i eth0 src 192.168.1.100  # Capture traffic from specific IP
tcpdump -i eth0 -w capture.pcap # Save to file for analysis
tcpdump -i eth0 -A              # Print packet contents (ASCII)

eBPF-based tools (emerging in 2025-2026):

bpftrace: Dynamic tracing of system calls and events
ebpf: Custom kernel observability without recompilation
falco: Runtime security monitoring using eBPF

Example with bpftrace:

bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s\n", str(args->filename)); }'
# Trace all file open system calls in real-time without kernel recompilation

Process Management

ps aux                          # List all running processes
ps aux | grep nginx             # Find specific process
ps -ef --forest                 # Process tree (hierarchical view)
pgrep -l "python.*"             # Find processes matching pattern
pkill -f "old_process"          # Kill process by pattern (safer than killall)
kill <pid>                      # Send SIGTERM (graceful shutdown)
kill -9 <pid>                   # Send SIGKILL (force kill, last resort)
killall nginx                   # Kill all instances of process (dangerous!)
fg                              # Bring background job to foreground
bg                              # Resume stopped job in background
jobs                            # List background jobs
wait <pid>                      # Wait for process to complete

The pkill command is safer than killall because it supports pattern matching but is more specific than killing by name alone.

System Information

uname -a                        # Kernel version and system info
lsb_release -a                  # Linux distribution version
cat /proc/cpuinfo                # CPU information
cat /proc/meminfo               # Memory information
lscpu                           # CPU architecture summary
lsblk                           # Block devices and partitions
lspci                           # PCI devices (GPUs, NICs)
lsusb                           # USB devices

When troubleshooting compatibility issues or performance problems, quickly checking kernel version and hardware specs is essential.

Quick Reference Cheat Sheet

Task	Command	Use Case
Find listening ports	`ss -tlnp`	Troubleshoot port conflicts
Monitor processes	`btop` or `htop`	Check CPU/memory usage
View container logs	`docker logs -f <id>`	Debug container issues
Debug pod networking	`kubectl exec -it <pod> -- bash`	Network troubleshooting
Monitor disk I/O	`iotop -o`	Find I/O bottlenecks
Check DNS resolution	`dig example.com`	DNS troubleshooting
Monitor bandwidth	`nethogs -r`	Find bandwidth hogs
View process tree	`ps -ef --forest`	Understand process hierarchy

Conclusion

Part 2 equips you with the networking, monitoring, and container debugging tools necessary for production DevOps work. Mastery of ss, ip, and curl for networking; docker exec and kubectl exec for container debugging; and btop, iotop, and nethogs for real-time monitoring makes you effective at diagnosing infrastructure issues quickly. As containerization and Kubernetes adoption continue in 2026, these commands remain fundamental to any DevOps engineer's toolkit.