Linux Fundamentals

Navigating the Filesystem

18 min Lesson 3 of 26

Navigating the Filesystem

Every action a DevOps engineer takes — deploying an app, tailing a log, auditing a config — starts with knowing exactly where you are on disk and how to move deliberately. Linux uses a single unified tree rooted at /. There is no C:\ or D:\; every device, network share, and virtual filesystem is mounted somewhere inside that one tree. Understanding the layout is not optional background knowledge — it is the map you navigate every day in production.

The Filesystem Hierarchy Standard (FHS)

The Filesystem Hierarchy Standard (FHS) defines what belongs where. Every major Linux distribution follows it. When you SSH into an unfamiliar Ubuntu, RHEL, or Alpine server you have never touched, you already know where to look for config files, logs, and binaries because FHS is consistent.

Linux Filesystem Hierarchy / (root) /etc /var /usr /proc /home /bin /tmp nginx/ ssh/ cron.d/ log/ lib/ www/ bin/ local/ share/ [PID]/ cpuinfo meminfo Persistent data & config Virtual (kernel-managed) Essential binaries Temporary (cleared on boot)
The Linux Filesystem Hierarchy Standard — major directories under root and their children.

The directories you will interact with most in DevOps work:

  • /etc — System-wide configuration files. /etc/nginx/nginx.conf, /etc/ssh/sshd_config, /etc/cron.d/. Nothing executable lives here — only text config. When you change something in /etc you are changing behavior for the entire machine.
  • /var — Variable data that grows at runtime: logs (/var/log/), spool files, package databases (/var/lib/), web roots (/var/www/). Disk fills here first in production. Monitor it.
  • /usr — User-space programs installed by the package manager. /usr/bin/ holds most commands (python3, git, curl). /usr/local/bin/ is the conventional place for software you compile or install outside the package manager. /usr/share/ holds architecture-independent data (man pages, locale files).
  • /proc — A virtual filesystem that exposes the kernel's view of running processes and hardware. Nothing is stored on disk; the kernel generates it on demand. /proc/[PID]/ contains the entire state of a running process. /proc/cpuinfo and /proc/meminfo are how tools like top work under the hood.
  • /bin and /sbin — On modern systems these are symlinks to /usr/bin and /usr/sbin (the "merged /usr" layout). They hold the essential binaries needed to boot and recover a system.
  • /home — User home directories. In production, application service accounts typically live under /home/deploy or in /srv.
  • /tmp — Cleared on reboot (and sometimes by a systemd timer). Never store anything you need to keep here.

Absolute vs Relative Paths

An absolute path starts from / and is unambiguous regardless of where you are: /etc/nginx/nginx.conf. A relative path starts from the current working directory: ../log/nginx/error.log. In scripts and cron jobs always use absolute paths — relative paths depend on the working directory when the script runs, which is often not what you expect.

Production Pitfall: A cron job that works perfectly when you test it manually can silently fail in production because cron runs with a minimal environment and a different working directory. Use absolute paths everywhere in scripts called by cron or systemd.

Navigating with ls and cd

ls lists directory contents. cd changes the current directory. The special tokens . (current dir), .. (parent dir), ~ (your home dir), and - (previous dir) make navigation fast.

# Long listing with hidden files, human-readable sizes, sorted by time ls -lahrt /var/log/nginx/ # Show inode numbers (useful when diagnosing hard links) ls -lai /etc/alternatives/ # Change to the previous directory (toggle between two locations) cd /etc/nginx cd /var/log/nginx cd - # jumps back to /etc/nginx # Quickly jump to home cd ~ # or just: cd
Pro tip: ls -lahrt sorts by modification time, most recent last — ideal for finding which config or log file just changed. Add | tail -20 to see only the most recent entries in a busy directory.

Searching with find

find is one of the most powerful filesystem tools in Linux. It traverses a directory tree and applies tests — name, type, permissions, size, modification time — letting you locate exactly what you need or act on it directly.

# Find all .conf files under /etc, case-insensitive find /etc -iname "*.conf" -type f # Find files modified in the last 10 minutes (useful after a deploy) find /var/www/app -mmin -10 -type f # Find files larger than 100 MB — diagnose disk pressure fast find /var/log -size +100M -type f # Find world-writable files under /etc (a security audit must-run) find /etc -type f -perm -o+w # Find and delete files older than 30 days (log rotation helper) find /tmp -type f -mtime +30 -delete # Combine tests: owned by root AND executable, under /usr/local/bin find /usr/local/bin -user root -perm /u+x -type f # Execute a command on each result (-exec ... {} \;) find /etc -name "*.bak" -exec rm -v {} \;
Key idea: find is not just for searching — it is a filter pipeline that can exec arbitrary commands. At Google-scale the same mental model applies: you find candidates by metadata criteria, then act on them. The -exec flag runs a command per match; -execdir runs it from the file's own directory, which is safer against path injection.

Exploring /proc in Practice

Because /proc is just files, you can inspect live kernel state with nothing but standard text tools. This is how monitoring agents, container runtimes, and observability tools work internally.

# See all CPUs the kernel sees (critical for CPU pinning decisions) cat /proc/cpuinfo | grep "model name" | sort -u # Total and available memory in kB — the authoritative source cat /proc/meminfo | grep -E "MemTotal|MemAvailable|SwapTotal" # Inspect a specific process (PID 1 is always init/systemd) ls /proc/1/fd # open file descriptors cat /proc/1/status # process status: threads, memory, uid, state cat /proc/1/cmdline # full command line (null-byte separated) # View kernel parameters (sysctl) as plain files cat /proc/sys/vm/swappiness # current swap aggressiveness cat /proc/sys/net/ipv4/ip_forward # IP forwarding (1=on for routers/k8s nodes)

Quick Reference: Navigation Shortcuts

  • pwd — print working directory (always know where you are)
  • cd / — go to root
  • cd ~ or cd — go to your home directory
  • cd - — toggle to the previous directory
  • ls -lahrt — long listing, all files, human sizes, sorted newest-last
  • find . -name "*.log" -mmin -60 — files changed in the last hour
  • stat /path/to/file — full inode metadata: size, permissions, timestamps
Big-tech practice: On production hosts, engineers are expected to diagnose disk issues without installing new tools. find /var -xdev -size +50M -type f 2>/dev/null | sort -k5 -n (using ls -s output) or du -sh /var/log/* | sort -rh | head -20 are the first commands you run when df -h shows a filesystem at 95%. Know these cold.
Previous Lesson The Terminal & Shell Basics
Next Lesson Working with Files & Text
Back to Course