Linux Performance & Debugging Cheat Sheet

Brendan Gregg's USE method gives you a systematic way to find bottlenecks instead of guessing. For every resource - CPU, memory, disk, network interfaces - check three things. Utilization: the percentage of time the resource was busy. Saturation: the degree of queued or waiting work it could not service immediately (run-queue length, swap activity, I/O wait). Errors: the count of error events (dropped packets, failed I/O, ECC errors). Walk each resource through U, S, and E and the bottleneck usually falls out. High utilization alone is not a problem; high saturation almost always is.

When you ssh into a sick box, run a fast top-down sweep before diving deep. Start with 'uptime' for load averages, then 'dmesg | tail' for recent kernel messages (OOM kills, disk errors, segfaults). 'vmstat 1' shows run queue, swap, and CPU split over time; 'mpstat -P ALL 1' shows whether load is on one core or spread out; 'pidstat 1' attributes CPU to processes. Then 'iostat -xz 1' for disk pressure, 'free -m' for memory headroom, and 'ss -s' plus 'sar -n DEV 1' for network. The point is breadth first - confirm which resource is the problem, then drill in with the focused tools below.

The three load-average numbers (from 'uptime' or 'top') are the 1-, 5-, and 15-minute exponentially-weighted averages of the number of processes running plus waiting to run - and, on Linux specifically, processes in uninterruptible sleep (usually blocked on disk or network I/O). Compare against your core count: a load of 4.0 is fully busy on a 4-core box and badly oversubscribed on a 1-core box. The trend across the three numbers matters - 1-minute much higher than 15-minute means load is rising right now; the reverse means it is recovering. Because Linux counts I/O wait in load, a high load with idle CPUs points at disk or network, not compute.

free / available

In 'free -h', look at the 'available' column, not 'free' - the kernel uses spare RAM for page cache that it can reclaim instantly, so low 'free' is normal and healthy.

vmstat si / so

Nonzero 'si' (swap in) and 'so' (swap out) columns mean the system is actively swapping - a strong saturation signal that hurts latency.

OOM killer

When memory is exhausted and unreclaimable, the kernel's out-of-memory killer terminates a process to free RAM, choosing by an oom_score heuristic. It logs to dmesg and the kernel log - grep for 'Out of memory' or 'oom-kill'.

/proc/meminfo

Authoritative memory breakdown - MemTotal, MemAvailable, Cached, Buffers, SwapTotal/SwapFree, and Slab. Where 'free' gets its numbers.

The /proc pseudo-filesystem is the kernel's live window into the system, exposed as files. System-wide: '/proc/loadavg' (load), '/proc/stat' (CPU and boot counters), '/proc/meminfo' (memory), '/proc/cpuinfo' (cores and flags), '/proc/mounts', and '/proc/net/' (per-protocol socket tables). Per process under '/proc/<pid>/': 'status' and 'stat' for state and resource use, 'fd/' for open file descriptors, 'maps' for the memory layout, 'cmdline' for the launch arguments, 'environ' for the environment, and 'limits' for ulimits. Many standard tools are just friendly readers over these files.

• ·Go top-down: confirm which resource is saturated (CPU, memory, disk, network) before reaching for deep tools like strace or perf.
• ·Check 'dmesg | tail' early - OOM kills, disk read errors, and segfaults show up there and instantly explain a lot of symptoms.
• ·Distinguish utilization from saturation - 100% CPU utilization is fine if the run queue is short; a growing run queue or rising I/O wait is the real warning.
• ·On Linux, high load average with idle CPUs means processes are blocked in uninterruptible I/O sleep - look at disk and network, not compute.
• ·strace and ltrace add real overhead and can slow a hot process - attach with '-p' briefly, use '-c' for a summary, and detach.
• ·When the disk looks full, check inodes too ('df -i') - you can exhaust inodes with many tiny files while bytes-free still looks fine.
• ·Sample over an interval (the trailing '1') rather than trusting a single snapshot - instantaneous values lie.