Core Code
Core Code Modern Dev Handbook
LINUX-PRODUCTION Contents
Linux Fundamentals for Production
Filesystem Layout (FHS) in Practice Users, Groups, and Service Accounts Permissions & ACLs (chmod/chown/setuid) Sudoers Safe Defaults Packages: apt/dnf, Repos, and Pinning Shell & Environment Hygiene Editing Configs Safely Time, Timezones, and NTP System Introspection Toolkit
Processes & Signals
Linux Process Model (PID, PPID, Fork/Exec) ps/top/htop: Finding What Hurts Signals in Practice (TERM/KILL/HUP) nice/renice and Scheduling Basics ulimits and Resource Limits Background Jobs (nohup, tmux, systemd-run) /proc and What It Tells You cgroups Basics (CPU/Memory Isolation) Zombies, Orphans, and Stuck Processes
systemd & Services
systemd Unit Types Overview Service Unit Best Practices Dependencies & Ordering (After/Wants/Requires) Restart Policies and Backoff Environment Files and Secrets Handling journald Basics (Reading, Filtering, Retention) Logging Practices with systemd Timers vs Cron Debugging systemd Services
Networking Basics for Production
ip, routes, and interfaces DNS Debugging (dig, resolvectl, hosts) Ports and Sockets with ss curl for HTTP Debugging TCP Basics (Handshake, States, Retries) Firewall Overview (nftables/iptables/ufw) NAT and Port Forwarding Concepts TLS and Certificates Basics Network Troubleshooting Playbook
Storage & Filesystems
Disk Layout and Partitioning (lsblk/fdisk) Filesystems (ext4/xfs) Basics Mounts and /etc/fstab Safety Disk Usage: df vs du (and Why They Differ) Inodes and “Disk Full” Mysteries Swap Strategy in Production Log Rotation (logrotate) Basics Temporary and Runtime Storage Hygiene Backup Storage Considerations
Security Basics
SSH Hardening in Production Users and Least Privilege in Production Firewall Minimum Rules for Production Linux Patching Strategy in Production Managing Secrets on Linux Hosts Linux Audit and Basic Logging in Production Fail2ban and Rate Limiting in Production SELinux and AppArmor Overview in Production Linux Security Baseline Checklist for Production
Observability on Linux
Linux Log Sources Map in Production journalctl Power Usage in Production Log Structure and Correlation in Production Metrics Hooks Overview in Production Health Checks and Readiness in Production Tracing Mindset for Linux and Production Systems Core Dumps Basics in Production Debug Packages and Symbols in Production Linux Observability Checklist for Production
Performance & Debugging
Load Average Explained for Production Debugging CPU Profiling Basics in Linux Production Memory Pressure Basics in Linux Production IO Bottlenecks and iostat in Production lsof and Open Files in Production Debugging Practical strace Usage in Production Sockets Debugging Tools in Linux Production dmesg and Kernel Signals for Production Debugging Production Debugging Workflow for Linux Systems
Deployment Patterns
Environment and Configuration Management in Production Release Directory Pattern for Safe Linux Deployments Zero-Downtime Restarts in Production Running Migrations Safely in Production Secrets Deploy Patterns in Production Backups and Restore Drills in Production Rollback Strategies for Production Deployments Maintenance Windows in Production Operations Production Deployment Checklist for Linux Systems
Production Checklists
Writing Effective Runbooks for Production Systems Failure Modes Mapping for Linux Production Systems Incident Response Basics for Linux Production Break-Glass Access in Production Capacity Planning Basics for Linux Production Systems Monitoring and Alerting Baseline for Linux Production Production Readiness Review for Linux Systems Configuration Drift in Linux Production Systems Go-Live Checklist

Users, Groups, and Service Accounts

Create least-privilege users, group policies, and predictable ownership for services.
On this page

Why User Strategy Matters in Production

On a production server, the question is not “can it run?” but “who can run it?” User and group design determines blast radius during incidents, privilege escalation risk, and auditability. Running everything as root is not convenience — it is future outage material.

The Golden Rule: Root Is for Maintenance Only

Root should never run your application. Root should:

  • Install packages
  • Manage system configuration
  • Perform controlled maintenance

Your services must run as dedicated system users.

Service Account Pattern

Every production service should have its own system user. 

sudo useradd --system --no-create-home --shell /usr/sbin/nologin myapp

This creates:

  • No login capability
  • No home directory
  • Isolated ownership boundary

Ownership Strategy

Application directories should be owned by the service user: 

chown -R myapp:myapp /srv/myapp

Never make application directories writable by everyone (chmod 777 is not a solution).

Group-Based Access Model

Instead of granting individual permissions repeatedly, use groups. Example: 

groupadd deploy
usermod -aG deploy alice
usermod -aG deploy bob

Now grant directory access once: 

chgrp -R deploy /srv/myapp
chmod -R 750 /srv/myapp

Understanding umask

umask defines default permissions for new files. On production systems, a safe default is: 

umask 027

This ensures:

  • No world-readable secrets
  • Group collaboration remains possible

Sudo Minimalism

Instead of giving full root access, restrict commands: 

alice ALL=(ALL) NOPASSWD: /bin/systemctl restart myapp

This limits blast radius dramatically.

Directory Permission Model

Production-safe pattern:

  • 750 for application directories
  • 640 for config files
  • 600 for secrets

Common Production Mistakes

  • Running Node, PHP, Python apps as root
  • Using chmod 777 during “quick fixes”
  • Sharing one system user across multiple services
  • Putting secrets in user home directories

Auditing Your Server

ps aux --sort=user
ls -l /srv
getent passwd

Mental Model

Think in layers: System → Service → Deploy → Human. Each layer should have its own identity. If one layer is compromised, the others must survive.

Production Checklist

  • Every service has its own user
  • No login shells for service users
  • No 777 permissions anywhere
  • Secrets readable only by service user
  • Sudo limited to minimal commands
Permissions & ACLs (chmod/chown/setuid) →