We use cookies for site analytics. Accept to help us understand how the site is used. See our Privacy Policy for details.
Filesystem layout, the commands you actually use (find / grep / awk / sed / xargs), processes and signals, networking, permissions, basic shell scripting, and a vi survival kit.
Unix-fluency shows up in three interview moments: a system-design discussion that drops into how you'd debug a hot host, an SRE / platform round that grills tooling, and the take-home where the reviewer judges your shell hygiene. The shell is also where 90% of incident response happens. Knowing the right command in the right shape is faster than reaching for any GUI, every time.
The standard directory roles. Most Linux distros follow the Filesystem Hierarchy Standard.
Find files, search inside files, transform text. find + grep + xargs is the workhorse triple.
| Command | What it does | Common flags | Example |
|---|---|---|---|
| ls | List directory contents. | -l (long), -a (incl. dotfiles), -h (human sizes), -t (sort by mtime), -S (sort by size), -1 (one per line) | ls -lah /var/log |
| find | Recursive file search by name, type, size, mtime, etc. | -name, -iname, -type f|d, -size, -mtime, -newer, -maxdepth, -exec ... \; | find . -type f -name '*.log' -mtime -1 -exec gzip {} \; |
| grep | Regex search inside files. | -r (recursive), -n (line numbers), -i (case-insensitive), -E (extended regex), -v (invert), -l (list files only), -A/-B/-C (context) | grep -rn --include='*.ts' 'TODO' src/ |
| rg (ripgrep) | Faster grep with sane defaults (gitignore-aware, recursive by default). Not POSIX but ubiquitous in modern dev environments. | -i, -n, -t TYPE, -g GLOB, --hidden | rg -t ts 'TODO\|FIXME' |
| awk | Field-aware text processor. Default field separator is whitespace. Each line -> $0; fields are $1, $2, .... | -F (field separator), -v (var assignment) | awk -F: '$3 >= 1000 { print $1 }' /etc/passwd # human users |
| sed | Stream editor for line-oriented substitution and deletion. | -i (in-place), -E (extended regex), -n (suppress) | sed -i.bak 's/foo/bar/g' file.txt # in-place with .bak backup |
| xargs | Build command lines from stdin. Pairs with find / ls / grep -l. | -0 (NUL-delimited), -n (max args/cmd), -P (parallel), -I (replace token) | find . -name '*.tmp' -print0 | xargs -0 rm # NUL-safe deletes |
| sort / uniq | Sort lines / collapse adjacent duplicates. | sort: -n (numeric), -k N (key field), -r (reverse), -u (unique). uniq: -c (count), -d (dups only) | cut -d' ' -f1 access.log | sort | uniq -c | sort -rn | head |
| cut / tr / head / tail / wc | cut = extract columns. tr = translate / squeeze chars. head/tail = first/last N. wc = count lines/words/bytes. | cut -d -f. tr -s -d. head -n. tail -n -f (follow). wc -l -w -c | tail -n 100 -f /var/log/syslog |
| diff / patch | Compare files / apply diffs. | diff -u (unified), -r (recursive). patch -p1 | diff -u old.txt new.txt > my.patch |
| tar / gzip / zstd | Bundle + compress / decompress. | tar -czf out.tgz dir/ (create gzip). tar -xzf in.tgz (extract). gzip -k (keep). zstd -k -19 | tar -czf logs-$(date +%F).tgz /var/log/myapp/ |
Inspect what's running, control it, and send the right signal when something is wedged.
| Command | What it does | Common flags | Example |
|---|---|---|---|
| ps | Snapshot of processes. | aux (all + user + mem), -ef (full format), -o (custom columns) | ps aux --sort=-%mem | head |
| top / htop | Interactive process monitor. htop is the friendlier color version. | Inside: P (sort cpu), M (sort mem), F2 (htop config), T (tree view) | htop |
| kill | Send a signal to a process. Default signal is TERM. | -l (list signals), -9 (KILL - immediate, no cleanup), -15 (TERM - graceful), -1 (HUP - reload config), -2 (INT - same as Ctrl+C) | kill -TERM 12345 # ask politely. Then -9 if it ignores you. |
| pkill / pgrep | Kill / find by name pattern. | -f (match full cmdline), -u USER | pkill -f 'python my-stuck-script' |
| nohup / & | Run a command immune to hangups (terminal close). & backgrounds. | Pipe stdout/err with > and 2>&1. | nohup ./long-job.sh > job.log 2>&1 & |
| jobs / fg / bg / disown | Manage shell-backgrounded jobs. fg foregrounds, bg resumes in background, disown detaches from shell. | %1, %2 (job specs) | Ctrl+Z; bg %1; disown %1 |
| lsof | List open files. Powerful: open files include sockets, devices, deleted-but-held files. | -i :PORT (network), -p PID, -u USER, +D DIR (recursive) | lsof -i :8080 # who's holding port 8080? |
| strace / ltrace | Trace syscalls / library calls of a running process. Last-resort debugging. | strace -p PID, -e trace=open,read, -c (summary), -f (follow forks) | strace -f -e trace=network -p 12345 |
Send with kill -<NAME> <pid>. The defaults of TERM (15) and KILL (9) cover most needs.
Inspect interfaces, sockets, DNS, HTTP. ss has replaced netstat on most distros.
| Command | What it does | Common flags | Example |
|---|---|---|---|
| ip | Modern replacement for ifconfig + route. Inspect / configure interfaces, addresses, routes. | ip addr, ip link, ip route, ip -s | ip -br addr # one-line per interface |
| ss | Socket statistics. Replaces netstat. Faster, friendlier output. | -t (TCP), -u (UDP), -l (listening), -n (no DNS), -p (process) | ss -tlnp # all listening TCP sockets with process |
| netstat | Older / portable equivalent of ss. Still common in older distros. | -tlnp, -an, -r (routes) | netstat -tlnp |
| curl | Make HTTP/S requests. Default GET. Supports almost every protocol. | -X METHOD, -H 'Header: val', -d 'body', -i (response headers), -I (HEAD only), -L (follow redirects), -k (skip TLS verify), -s (silent), -o file, -w '%{http_code}\n' | curl -isL -H 'Accept: application/json' https://api.example.com/v1/health |
| wget | Download files. Better than curl for recursive mirrors. | -c (continue), -r (recursive), -O (output name) | wget -c https://example.com/big.iso |
| dig | DNS query tool. | +short, +trace, +noall +answer, @8.8.8.8 (server), -t TYPE | dig +short A gitgood.dev |
| nslookup | Older DNS tool. dig is preferred. | (interactive or one-shot) | nslookup gitgood.dev |
| ping / traceroute / mtr | ICMP reachability / per-hop latency. mtr combines ping + traceroute interactively. | ping -c N -i SEC. traceroute -n. mtr -n -r -c 50 | mtr -rn -c 30 1.1.1.1 |
| nc (netcat) | Raw TCP/UDP swiss-army knife. Listen, scan, port-test, transfer files. | -l (listen), -v, -z (port scan), -u (UDP), -w (timeout) | nc -vz example.com 443 # is 443 open? |
| tcpdump | Packet capture. Use BPF filters to scope. | -i IFACE, -n (no DNS), -X (hex+ascii), -w file (pcap), 'port 80' (filter) | tcpdump -i eth0 -n 'host 1.2.3.4 and port 443' |
Three actor classes (user, group, other) x three rights (read, write, execute). On directories, x means "can enter / traverse," not "can execute."
Bash is the lingua franca. These idioms cover 90% of real scripts.
vi is on every Unix box you'll ever ssh into. You only need ~15 commands to be functional.
Time and space complexity for the data structures, sorting algorithms, and search routines that show up in coding interviews. Skim the row, remember the row, defend the row in an interview.
The recurring shapes - sliding window, two pointers, fast/slow, BFS/DFS, backtracking, DP, divide & conquer, binary search variants, union-find, topological sort. Each entry: when to reach for it, the template, complexity, and which classic problems use it.
The recurring forks in system design interviews. CAP, PACELC, sync vs async, push vs pull, SQL vs NoSQL, sharding shapes, consistency models, cache strategies, idempotency, and rate limiting. For each, the options and when to choose each.
Query clause order, every JOIN type and when to use it, aggregates vs window functions, what indexes actually buy you, transaction isolation levels, and the NULL / WHERE-vs-HAVING / EXISTS-vs-IN gotchas interviewers fish for.
The everyday commands, every undo scenario mapped to its fix, rebase vs merge with a side to pick, interactive rebase, bisect, the reflog safety net, stash, and the flags worth aliasing.
The docker and kubectl commands you reach for daily, Dockerfile best practices, how layer caching actually works, the core k8s objects in one screen, requests vs limits, liveness vs readiness, and a step-by-step CrashLoopBackOff debug flow.
Method semantics and idempotency, the ~15 status codes that matter, resource naming rules, offset vs cursor pagination, versioning and auth tradeoffs, error body conventions, rate-limit headers, and the smells reviewers flag.
The STAR structure with timing, what interviewers actually grade, eight question archetypes and how to frame each, the anti-patterns that sink answers (rambling, "we" instead of "I", no metrics), and a 30-second answer skeleton.
TCP vs UDP, the TLS and TCP handshakes, HTTP versions, status codes, DNS resolution, the OSI and TCP/IP layer models, and the ports you are expected to know in an interview.
Anchors, character classes, quantifiers, groups, alternation, lookarounds, backreferences, and flags - plus practical patterns and the gotchas that trip people up in interviews.
The USE method, a first-five-minutes triage runbook, and the CPU, memory, disk, network, and tracing commands you reach for when a Linux box is misbehaving.
A fast reference for concurrency primitives, synchronization tradeoffs, the memory model, and the classic bugs that show up in systems interviews and real code.
A reference for the theorems, consistency models, replication and partitioning strategies, delivery guarantees, and resilience patterns that come up in system design interviews.
Reading is the floor. The signal in interviews comes from working problems out loud and defending your tradeoffs. Spin up an AI mock interview or run a coding challenge to put these to work.