# find — searches for FILES by name, type, size, date
# Searches the filesystem (directory tree)

# Find all .log files in /var/log
find /var/log -name "*.log"

# Find files modified in the last 24 hours
find /home -mtime -1

# Find files larger than 100MB
find / -size +100M -type f

# Find empty directories
find /tmp -type d -empty

# grep — searches INSIDE files for text patterns
# Searches file contents (line by line)

# Search for "error" in all log files
grep -r "error" /var/log/

# Search for "timeout" case-insensitive, show line numbers
grep -rni "timeout" /etc/nginx/

# Combine both: find files, then search inside them
find /var/log -name "*.log" -exec grep -l "OOM" {} \;
# Finds all .log files that contain "OOM" (Out of Memory)

# Key difference:
# find = WHERE is the file?
# grep = WHAT is inside the file?

$ ls -la /etc/nginx/nginx.conf
-rw-r--r-- 1 root root 2656 Mar 15 09:22 /etc/nginx/nginx.conf

# Breaking down each column:
# -rw-r--r--  → file type + permissions
#   -          → file type (- = file, d = directory, l = symlink)
#   rw-        → owner permissions (read, write, no execute)
#   r--        → group permissions (read only)
#   r--        → others permissions (read only)
#
# 1           → number of hard links
# root        → owner (user)
# root        → group
# 2656        → file size in bytes
# Mar 15 09:22 → last modification date
# /etc/nginx/nginx.conf → filename

# The -a flag shows hidden files (starting with .)
# The -l flag shows the long format (detailed view)

# Common variations:
# ls -lh    → human-readable sizes (KB, MB, GB)
# ls -lt    → sort by modification time (newest first)
# ls -lS    → sort by file size (largest first)
# ls -laR   → recursive listing of all subdirectories

# Hard link — shares the same inode (same data on disk)
ln original.txt hardlink.txt

# Soft link (symlink) — pointer to the original file path
ln -s original.txt softlink.txt

# Check inodes:
ls -li original.txt hardlink.txt softlink.txt
# 1234567 -rw-r--r-- 2 user user 100 original.txt
# 1234567 -rw-r--r-- 2 user user 100 hardlink.txt   ← same inode!
# 7654321 lrwxrwxrwx 1 user user  12 softlink.txt → original.txt

# What happens when you delete the original?
rm original.txt

# Hard link: STILL WORKS — data exists until all hard links are removed
cat hardlink.txt    # works fine

# Soft link: BROKEN — points to a path that no longer exists
cat softlink.txt    # "No such file or directory"

# Key differences:
# Hard link: same inode, cannot cross filesystems, cannot link directories
# Soft link: different inode, can cross filesystems, can link directories
# Hard link: survives original deletion
# Soft link: breaks when original is deleted

# df — disk free (filesystem level)
df -h
# Shows mounted filesystems, total/used/available space
# -h = human-readable (GB, MB instead of blocks)

# du — disk usage (directory level)
du -sh /var/log
# Shows total size of a specific directory
# -s = summary (total only, not each file)
# -h = human-readable

# Find the largest directories under /var
du -sh /var/* | sort -rh | head -10

# ncdu — interactive disk usage analyzer (install if not present)
ncdu /var
# Navigate with arrow keys, see what is eating disk space

# Find files larger than 1GB
find / -type f -size +1G -exec ls -lh {} \;

# Check inode usage (can run out even with free disk space)
df -i
# Important: running out of inodes is a real production issue
# Millions of tiny files can exhaust inodes before disk space

# Permission structure: owner | group | others
# Each has: read (r=4), write (w=2), execute (x=1)

# rwxr-xr-x = 755
# owner: rwx = 4+2+1 = 7 (full access)
# group: r-x = 4+0+1 = 5 (read + execute)
# others: r-x = 4+0+1 = 5 (read + execute)

# Common permission sets:
# 755 — directories, scripts (owner full, others read+execute)
# 644 — regular files (owner read+write, others read only)
# 600 — private files like SSH keys (owner only)
# 777 — NEVER use in production (everyone has full access)

# chmod — change permissions
chmod 755 deploy.sh          # octal notation
chmod u+x deploy.sh          # symbolic: add execute for owner
chmod g-w config.yml         # symbolic: remove write for group
chmod o-rwx secrets.env      # symbolic: remove all for others

# Recursive permission change
chmod -R 755 /var/www/html/  # apply to all files and subdirectories

# Directories need execute (x) permission to be entered
# Without x on a directory, you cannot cd into it
# This catches many candidates off guard

# chmod — change MODE (permissions)
# Controls WHAT can be done with the file
chmod 644 index.html         # owner: rw, group: r, others: r
chmod u+x script.sh          # add execute for owner

# chown — change OWNER (ownership)
# Controls WHO owns the file
chown nginx:nginx /var/www/html/index.html
# Changes owner to nginx, group to nginx

# chown user:group file
chown deploy:deploy /opt/app/ -R    # recursive ownership change

# Common scenario: web server cannot read files
# Step 1: Check ownership
ls -la /var/www/html/
# -rw-r--r-- 1 root root 1024 index.html
# Problem: owned by root, but nginx runs as nginx user

# Step 2: Fix ownership
chown -R nginx:nginx /var/www/html/

# Step 3: Set correct permissions
chmod -R 755 /var/www/html/
chmod 644 /var/www/html/*.html

# Key difference:
# chmod = WHAT actions are allowed (read/write/execute)
# chown = WHO owns the file (user/group)

# SUID (Set User ID) — file executes as the file owner, not the user
# Octal: 4xxx
chmod 4755 /usr/bin/passwd
ls -la /usr/bin/passwd
# -rwsr-xr-x 1 root root  → notice the 's' in owner execute
# passwd runs as root even when a normal user executes it
# This is how regular users can change their own passwords
# (passwd needs root access to write to /etc/shadow)

# SGID (Set Group ID) — file executes with the file's group
# On directories: new files inherit the directory's group
# Octal: 2xxx
chmod 2755 /shared/project/
# All files created in /shared/project/ inherit the group
# Useful for team collaboration directories

# Sticky bit — only the file owner can delete their files
# Octal: 1xxx
chmod 1777 /tmp
ls -ld /tmp
# drwxrwxrwt → notice the 't' at the end
# Everyone can write to /tmp, but you can only delete YOUR files
# Without sticky bit, anyone could delete anyone's temp files

# Security note: SUID on custom scripts is a security risk
# Attackers look for SUID binaries to escalate privileges
# Find all SUID files: find / -perm -4000 -type f 2>/dev/null

# Method 1: ps + grep + kill
ps aux | grep nginx
# USER  PID %CPU %MEM  VSZ   RSS TTY STAT START TIME COMMAND
# root  1234 0.0  0.1 12345 6789 ?   Ss   09:00 0:00 nginx: master
# www   1235 0.5  0.3 23456 7890 ?   S    09:00 0:15 nginx: worker

kill 1234              # send SIGTERM (graceful shutdown)
kill -9 1234           # send SIGKILL (forced — last resort)

# Method 2: pkill (kill by name)
pkill nginx            # kills all processes named nginx
pkill -f "python app"  # kills processes matching full command

# Method 3: top / htop (interactive)
top                    # real-time process viewer
# Press 'k' to kill, enter PID, choose signal
# Press 'M' to sort by memory, 'P' to sort by CPU

htop                   # better version of top (install if needed)
# Arrow keys to navigate, F9 to kill, F6 to sort

# Method 4: Find by port
lsof -i :8080         # find process using port 8080
# Then kill the PID from the output

# Method 5: pgrep (find PID by name)
pgrep -a nginx        # shows PID and full command

# kill (SIGTERM — signal 15) — graceful shutdown
kill 1234
# Process receives the signal and can:
# - Close database connections
# - Flush buffers to disk
# - Remove temporary files
# - Complete in-flight requests
# - Exit cleanly

# kill -9 (SIGKILL — signal 9) — forced termination
kill -9 1234
# Kernel immediately terminates the process
# Process CANNOT catch or ignore this signal
# No cleanup happens — data may be lost
# Use only when SIGTERM does not work

# Common signals:
# kill -1  (SIGHUP)  — reload configuration (used by nginx, apache)
# kill -2  (SIGINT)  — same as Ctrl+C
# kill -15 (SIGTERM) — graceful shutdown (default)
# kill -9  (SIGKILL) — forced kill (cannot be caught)
# kill -19 (SIGSTOP) — pause process
# kill -18 (SIGCONT) — resume paused process

# Best practice: ALWAYS try SIGTERM first, wait 5-10 seconds
# Only use SIGKILL if the process is truly stuck
# kill -9 on a database can corrupt data

# Foreground — blocks the terminal until complete
./backup.sh              # terminal is locked until script finishes

# Background — runs without blocking the terminal
./backup.sh &            # & sends it to background immediately
# [1] 5678               # job number and PID

# Managing background jobs
jobs                     # list all background jobs
# [1]+  Running  ./backup.sh &

fg %1                    # bring job 1 to foreground
# Ctrl+Z                 # suspend (pause) the foreground process
bg %1                    # resume suspended process in background

# nohup — keeps running after you log out
nohup ./deploy.sh &
# Output goes to nohup.out by default
# Process survives terminal close and SSH disconnect

# Redirect output with nohup
nohup ./deploy.sh > deploy.log 2>&1 &
# stdout and stderr both go to deploy.log

# disown — detach a running job from the terminal
./long-task.sh &
disown %1                # process continues even if terminal closes
# Unlike nohup, disown works on already-running processes

# screen / tmux — persistent terminal sessions (better approach)
tmux new -s deploy       # create named session
./deploy.sh              # run your command
# Ctrl+B, D              # detach from session
tmux attach -t deploy    # reattach later, even from another SSH

# What is a zombie process?
# A child process that has finished but parent hasn't called wait()
# Shows as "Z" or "defunct" in ps output

# Find zombie processes
ps aux | grep -w Z
# USER  PID %CPU %MEM STAT COMMAND
# root  5678 0.0  0.0  Z   [myapp] <defunct>

# Why zombies exist:
# Child process finishes → sends SIGCHLD to parent
# Parent should call wait() to read exit status
# If parent ignores SIGCHLD → child stays as zombie

# You CANNOT kill a zombie with kill -9
# The zombie is already dead — it is just a process table entry

# How to fix:
# Option 1: Kill the PARENT process
# When parent dies, zombies are adopted by init (PID 1)
# init automatically calls wait() and cleans them up
kill $(ps -o ppid= -p 5678)    # kill the parent of zombie PID 5678

# Option 2: Send SIGCHLD to the parent
kill -SIGCHLD $(ps -o ppid= -p 5678)
# Reminds the parent to call wait()

# Option 3: Fix the application code
# The parent process should handle SIGCHLD properly
# signal(SIGCHLD, SIG_IGN)  — in C, ignore child signals
# This tells the kernel to auto-reap child processes

# A few zombies are harmless — thousands indicate a buggy parent

# ss — modern replacement for netstat (faster, more info)
ss -tlnp
# -t = TCP only
# -l = listening ports only
# -n = show port numbers (not service names)
# -p = show process using the port

# Output:
# State  Recv-Q Send-Q Local Address:Port  Process
# LISTEN 0      128    0.0.0.0:22          sshd
# LISTEN 0      511    0.0.0.0:80          nginx
# LISTEN 0      128    127.0.0.1:5432      postgres

# netstat — legacy but still widely used
netstat -tlnp
# Same flags as ss, same output format
# Deprecated on newer systems but still asked in interviews

# lsof — list open files (everything is a file in Linux)
lsof -i :80              # what process is using port 80?
lsof -i -P -n            # all network connections

# Check if a specific port is open from another machine
# From client:
telnet server-ip 80      # test TCP connectivity
nc -zv server-ip 80      # netcat — cleaner alternative
curl -v server-ip:80     # test HTTP specifically

# Key insight: "port is open" means a process is LISTENING
# "port is closed" means nothing is listening
# "port is filtered" means a firewall is blocking it

# Systematic troubleshooting — bottom up:

# Step 1: Check if the host is reachable (ICMP)
ping -c 4 google.com
# If this fails: network is down, DNS is broken, or ICMP is blocked

# Step 2: Check DNS resolution
dig google.com           # detailed DNS lookup
nslookup google.com      # simpler DNS lookup
cat /etc/resolv.conf     # check configured DNS servers
# If DNS fails but IP works: DNS server issue

# Step 3: Trace the network path
traceroute google.com    # shows each hop to the destination
mtr google.com           # combines ping + traceroute (real-time)
# Look for where packets start dropping

# Step 4: Test specific port connectivity
curl -v https://api.example.com/health
# Shows connection details, SSL handshake, response
telnet api.example.com 443
# Tests raw TCP connectivity to a specific port

# Step 5: Check local network configuration
ip addr show             # show IP addresses on all interfaces
ip route show            # show routing table
cat /etc/hosts           # check local hostname overrides

# Step 6: Check firewall rules
iptables -L -n           # list all firewall rules
firewall-cmd --list-all  # if using firewalld

# Common pattern: "curl works from server A but not server B"
# → Usually a security group / firewall rule issue

# iptables — legacy, chain-based firewall
# Uses chains: INPUT, OUTPUT, FORWARD
# Rules are processed top to bottom, first match wins

# Allow SSH (port 22)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP and HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Drop all other incoming traffic
iptables -A INPUT -j DROP

# Save rules (they are lost on reboot otherwise)
iptables-save > /etc/iptables/rules.v4

# firewalld — modern, zone-based firewall
# Uses zones (public, internal, trusted, etc.)
# Changes can be made without restarting the firewall

# Check active zone
firewall-cmd --get-active-zones

# Allow HTTP service
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --reload

# Allow a specific port
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --reload

# Key differences:
# iptables: static rules, requires restart to apply changes
# firewalld: dynamic, changes apply without restart
# iptables: chain-based (INPUT/OUTPUT/FORWARD)
# firewalld: zone-based (public/internal/trusted)
# firewalld uses iptables/nftables as the backend

#!/bin/bash
# find_large_files.sh — Find files larger than 100MB

TARGET_DIR=${1:-/}          # default to root if no argument
SIZE_LIMIT=${2:-100M}       # default to 100MB

echo "Searching for files larger than $SIZE_LIMIT in $TARGET_DIR..."
echo "============================================="

find "$TARGET_DIR" -type f -size +$SIZE_LIMIT -exec ls -lh {} \; 2>/dev/null | \
  awk '{print $5, $9}' | \
  sort -rh | \
  head -20

echo "============================================="
echo "Top 20 largest files shown."

# Usage:
# chmod +x find_large_files.sh
# ./find_large_files.sh /var 50M     # files > 50MB in /var
# ./find_large_files.sh /home        # files > 100MB in /home (default)
# ./find_large_files.sh              # files > 100MB everywhere (default)

# More advanced version with total size:
TOTAL=$(find "$TARGET_DIR" -type f -size +$SIZE_LIMIT -exec du -ch {} + 2>/dev/null | \
  tail -1 | awk '{print $1}')
echo "Total space used by large files: $TOTAL"

# $@ and $* — both represent all script arguments
# The difference appears when QUOTED

# Given: ./script.sh "hello world" foo bar

# "$@" — each argument stays separate (PRESERVES quoting)
for arg in "$@"; do
  echo "Arg: $arg"
done
# Output:
# Arg: hello world    ← preserved as one argument
# Arg: foo
# Arg: bar

# "$*" — all arguments merged into ONE string
for arg in "$*"; do
  echo "Arg: $arg"
done
# Output:
# Arg: hello world foo bar    ← everything is one string

# Without quotes, $@ and $* behave the same (word splitting)
# ALWAYS use "$@" when passing arguments to other commands

# Other special variables:
# $0  — script name
# $1  — first argument
# $#  — number of arguments
# $?  — exit status of last command (0 = success)
# $$  — PID of current script
# $!  — PID of last background process

# Practical example: wrapper script
#!/bin/bash
# deploy.sh — wrapper that logs and forwards all arguments
echo "$(date): Running deploy with args: $@" >> /var/log/deploy.log
/opt/deploy/run.sh "$@"    # forward ALL arguments correctly

# crontab — schedule recurring tasks
crontab -e               # edit your cron jobs
crontab -l               # list your cron jobs

# Cron syntax:
# ┌───────── minute (0-59)
# │ ┌─────── hour (0-23)
# │ │ ┌───── day of month (1-31)
# │ │ │ ┌─── month (1-12)
# │ │ │ │ ┌─ day of week (0-7, 0 and 7 = Sunday)
# │ │ │ │ │
# * * * * * command

# Examples:
# Every day at 2:30 AM
30 2 * * * /opt/scripts/backup.sh

# Every Monday at 9 AM
0 9 * * 1 /opt/scripts/weekly-report.sh

# Every 5 minutes
*/5 * * * * /opt/scripts/health-check.sh

# First day of every month at midnight
0 0 1 * * /opt/scripts/monthly-cleanup.sh

# Common pitfalls:
# 1. Cron uses a minimal PATH — use full paths for commands
#    BAD:  * * * * * python script.py
#    GOOD: * * * * * /usr/bin/python3 /opt/scripts/script.py

# 2. Redirect output or it goes to mail
* * * * * /opt/scripts/task.sh >> /var/log/task.log 2>&1

# 3. Environment variables are NOT loaded
# Add at top of crontab: SHELL=/bin/bash
# Or source your profile in the script

# systemd timers — modern alternative to cron
# More features: logging, dependencies, randomized delays
systemctl list-timers    # show all active timers