Linux Systems Engineering

Linux systems notes on kernel boundaries, processes, memory, storage, networking, systemd, permissions, containers, observability, performance, security, and eBPF.

20
273 min
128
47

Study map

Purpose: Map the Linux systems engineering knowledge base into a navigable field manual for deep Linux, kernel, container, performance, security, and eBPF mastery.

Linux Systems Engineering

This compendium treats Linux as a layered production system: hardware and firmware start the machine, the kernel arbitrates privileged resources, user space composes policy and services, and operators keep the whole stack observable, secure, and recoverable. It is not a beginner command cheat sheet. It is a reference for engineers who need to predict how Linux behaves when systems are slow, isolated, overloaded, attacked, upgraded, or extended with eBPF.

Linux is a kernel, not a complete operating environment by itself. A distribution combines the kernel with a boot chain, init system, libc, package manager, user space tools, default security policy, service manager, logging stack, and release process. Production behavior often depends on both layers: a kernel feature may exist, while the distribution chooses a different default, disables a config option, backports a patch, or wraps it with systemd, NetworkManager, firewalld, SELinux, AppArmor, or a container runtime.

Rendering diagram...

Core Path

StageNotesMastery outcome
Mental model01 Linux Mental Model User Space Kernel and Hardware, 06 System Calls ABI libc and User Kernel BoundariesExplain where an operation runs, which ABI it crosses, and why kernel boundaries shape reliability.
Process model02 Processes Threads Scheduling Signals and JobsDebug process lifecycles, signal behavior, job control, CPU scheduling, and daemon failures.
Memory model03 Memory Virtual Memory Paging Allocators and OOMInterpret RSS, page cache, reclaim, swap, NUMA, overcommit, and cgroup memory failures.
Storage model04 Filesystems VFS Block IO Page Cache and StorageTrace a file operation through VFS, page cache, block IO, journaling, and storage saturation.
Network model05 Linux Networking TCP IP Routing Firewalling and DNSDiagnose routes, sockets, conntrack, NAT, nftables, DNS, TLS symptoms, packet loss, and throughput limits.
Service model07 systemd Boot Init Units Timers Journald and ServicesOperate systemd units, dependencies, logs, timers, hardening, resource controls, and boot failures.
Security model08 Permissions Users Groups Capabilities and LSMs, 12 Linux Security Hardening Secrets and Incident ResponseReason about identity, capabilities, LSMs, seccomp, secrets, patching, and incident containment.
Isolation model09 cgroups Namespaces Containers and Runtime IsolationExplain containers as Linux process isolation using namespaces, cgroups, mounts, runtime specs, and host kernel policy.
Observability model10 Observability Logs Metrics Tracing and Debugging, 11 Performance Engineering perf Flamegraphs and CapacityCollect useful evidence without distorting the workload, then connect symptoms to bottlenecks.
Kernel model13 Kernel Architecture Modules Drivers and Device ModelUnderstand kernel subsystems, modules, drivers, locking, RCU, panics, taint, and build boundaries.
eBPF model14 eBPF Fundamentals Verifier Maps Programs and Helpers, 15 eBPF Networking XDP TC Cilium and Service Dataplanes, 16 eBPF Observability Uprobes Kprobes Tracepoints and CO-REUse eBPF as constrained kernel extension machinery for tracing, networking, and security without treating it as magic.
Operations model17 Production Operations Troubleshooting and Runbooks, 18 Linux Ecosystem Tools and Learning ProjectsPractice repeatable incident response, tool fluency, and learning projects that map to production realities.

Operating Principles

PrinciplePractical consequence
The kernel owns enforcement.A CLI can request behavior, but the kernel decides based on credentials, namespaces, LSM policy, cgroup limits, device state, and current resources.
User space owns policy.systemd units, package hooks, DNS resolvers, firewalls, PAM stacks, container runtimes, and orchestrators express policy through kernel APIs.
Most incidents are boundary failures.Slow DNS, stuck mounts, OOM kills, packet drops, service restarts, and permission denials usually involve a mismatch between user space intent and kernel state.
Observability changes systems.strace, perf, eBPF, tcpdump, debugfs, and verbose logs add overhead, expose sensitive data, or require privileges. Use bounded scope in production.
Containers share the host kernel.Namespaces hide global resources and cgroups meter resources, but the kernel, many drivers, and many attack surfaces remain shared.
Version details matter.Kernel config, distribution backports, systemd version, cgroup mode, BTF availability, nftables backend, and container runtime defaults can change behavior.

Local Machines, Production Hosts, and Clusters

EnvironmentBiasWhat to avoid
Local learning machineExperiment freely with namespaces, custom kernels, bpftrace one-liners, mount labs, and toy cgroups.Confusing permissive local privileges with production access.
Production Linux hostPrefer read-only inspection, bounded tracing, reversible unit changes, staged firewall changes, and evidence capture before mutation.Running unbounded tracers, deleting logs, killing processes blindly, flushing conntrack, or changing sysctls without rollback.
Production clusterTreat the node as part of a scheduler, network dataplane, storage plane, and security policy set.Debugging a node as if Kubernetes, containerd, CNI, CSI, and cloud metadata are irrelevant.

Fast Diagnostic Triage

SymptomFirst boundary to checkNotes
Service will not start07 systemd Boot Init Units Timers Journald and ServicesUnit dependency, environment, permission, mount, cgroup, or executable path failure.
High load with low CPU02 Processes Threads Scheduling Signals and Jobs, 04 Filesystems VFS Block IO Page Cache and StorageOften IO wait, uninterruptible sleep, lock contention, or blocked storage path.
OOM killed container03 Memory Virtual Memory Paging Allocators and OOM, 09 cgroups Namespaces Containers and Runtime IsolationCompare host memory pressure with memcg limits and memory.events.
Cannot bind port05 Linux Networking TCP IP Routing Firewalling and DNS, 08 Permissions Users Groups Capabilities and LSMsExisting socket, namespace mismatch, privilege, SELinux/AppArmor, or ephemeral port exhaustion.
DNS slow or wrong05 Linux Networking TCP IP Routing Firewalling and DNS, 17 Production Operations Troubleshooting and RunbooksResolver order, systemd-resolved split DNS, search domains, packet loss, or firewall.
BPF program rejected14 eBPF Fundamentals Verifier Maps Programs and Helpers, 16 eBPF Observability Uprobes Kprobes Tracepoints and CO-REVerifier proof failure, helper mismatch, unbounded access, missing BTF, or unsupported attach point.

Operational Vocabulary Anchors

These exact phrases are intentionally present for Obsidian search and review. The detailed treatment lives in the linked notes.

AnchorOperational reading
Kernel space vs user space01 Linux Mental Model User Space Kernel and Hardware explains privilege, address space separation, and why failures often appear at this boundary.
libc and ABI boundaries06 System Calls ABI libc and User Kernel Boundaries explains libc wrappers, syscall ABI contracts, errno, and stable user space behavior.
CPU privilege rings01 Linux Mental Model User Space Kernel and Hardware ties rings to traps, interrupts, exceptions, syscall entry, and device access.
Interrupts and exceptions01 Linux Mental Model User Space Kernel and Hardware separates asynchronous hardware interrupts from synchronous CPU exceptions.
Distribution vs kernel distinction01 Linux Mental Model User Space Kernel and Hardware separates upstream kernel mechanisms from distribution defaults and support policy.
Package managers overview18 Linux Ecosystem Tools and Learning Projects compares package managers as distribution policy and supply chain machinery.
stdin stdout stderr01 Linux Mental Model User Space Kernel and Hardware treats standard streams as inherited file descriptors, not special shell magic.
Tasks in the Linux kernel02 Processes Threads Scheduling Signals and Jobs maps processes and threads onto kernel tasks.
SIGKILL vs SIGTERM02 Processes Threads Scheduling Signals and Jobs distinguishes cooperative termination from uncatchable forced termination.
CFS scheduler02 Processes Threads Scheduling Signals and Jobs places CFS in context with EEVDF documentation and real-time classes.
jobs and daemons02 Processes Threads Scheduling Signals and Jobs connects shell job control to long-running service supervision.
Pages and huge pages03 Memory Virtual Memory Paging Allocators and OOM explains base pages, transparent huge pages, hugetlbfs, and TLB tradeoffs.
brk and heap03 Memory Virtual Memory Paging Allocators and OOM separates classic heap growth from mmap-backed allocations.
debugging OOM and memory pressure03 Memory Virtual Memory Paging Allocators and OOM uses dmesg, cgroup events, PSI, smaps, and workload evidence.
symbolic links04 Filesystems VFS Block IO Page Cache and Storage covers symlink path resolution and security footguns.
Btrfs overview04 Filesystems VFS Block IO Page Cache and Storage treats Btrfs as copy-on-write storage with snapshots and operational complexity.
LVM overview04 Filesystems VFS Block IO Page Cache and Storage places LVM between filesystems and block devices.
RAID overview04 Filesystems VFS Block IO Page Cache and Storage separates redundancy, availability, rebuild risk, and backup.
dm-crypt overview04 Filesystems VFS Block IO Page Cache and Storage maps encryption at the device-mapper layer.
io_uring overview04 Filesystems VFS Block IO Page Cache and Storage frames io_uring as an async submission and completion interface, not a universal speed switch.
IOPS vs throughput04 Filesystems VFS Block IO Page Cache and Storage distinguishes operation rate from sustained bytes per second.
latency and queue depth04 Filesystems VFS Block IO Page Cache and Storage explains why deeper queues can improve throughput while hurting tail latency.
filesystem troubleshooting04 Filesystems VFS Block IO Page Cache and Storage starts from mounts, inodes, free space, dirty writeback, and block saturation.
firewalld overview05 Linux Networking TCP IP Routing Firewalling and DNS treats firewalld as policy management over nftables or iptables backends.
MTU and fragmentation05 Linux Networking TCP IP Routing Firewalling and DNS maps packet size failures to PMTU, tunnels, ICMP, and drops.
TCP states05 Linux Networking TCP IP Routing Firewalling and DNS uses ss state output to reason about listeners, handshakes, close, and TIME_WAIT.
ordering vs requirement07 systemd Boot Init Units Timers Journald and Services separates After= ordering from Requires= dependency.
setuid and setgid08 Permissions Users Groups Capabilities and LSMs explains legacy privilege transitions and modern capability alternatives.
Landlock overview08 Permissions Users Groups Capabilities and LSMs describes unprivileged filesystem access restrictions as an LSM feature.
module signing overview08 Permissions Users Groups Capabilities and LSMs and 13 Kernel Architecture Modules Drivers and Device Model connect signed modules to secure boot and lockdown posture.
cgroup v1 vs cgroup v209 cgroups Namespaces Containers and Runtime Isolation explains unified hierarchy behavior and migration tradeoffs.
CPU controller09 cgroups Namespaces Containers and Runtime Isolation covers CPU weights, quotas, throttling, and scheduler impact.
memory controller09 cgroups Namespaces Containers and Runtime Isolation covers memcg accounting, limits, reclaim, and OOM.
IO controller09 cgroups Namespaces Containers and Runtime Isolation covers block IO control where supported by kernel and device stack.
cpuset controller09 cgroups Namespaces Containers and Runtime Isolation covers CPU and NUMA node placement constraints.
uts namespace09 cgroups Namespaces Containers and Runtime Isolation explains hostname and domain-name isolation.
container runtime model09 cgroups Namespaces Containers and Runtime Isolation separates image manager, CRI service, OCI runtime, and kernel primitives.
CRI-O overview09 cgroups Namespaces Containers and Runtime Isolation compares CRI-O with containerd as a Kubernetes CRI implementation.
overlayfs for containers09 cgroups Namespaces Containers and Runtime Isolation links image layers to merged writable container root filesystems.
container security boundaries09 cgroups Namespaces Containers and Runtime Isolation treats boundaries as layered controls, not VM equivalence.
diagnosing high memory10 Observability Logs Metrics Tracing and Debugging and 17 Production Operations Troubleshooting and Runbooks start with RSS, cache, cgroups, swap, PSI, and OOM logs.
diagnosing slow disk10 Observability Logs Metrics Tracing and Debugging uses latency, utilization, queue depth, dirty pages, and filesystem evidence.
diagnosing network latency10 Observability Logs Metrics Tracing and Debugging combines routes, DNS, retransmits, packet loss, tcpdump, and service metrics.
Module loading and unloading13 Kernel Architecture Modules Drivers and Device Model covers modprobe, insmod, dependencies, reference counts, and production risk.
syscalls table overview13 Kernel Architecture Modules Drivers and Device Model places syscall dispatch in the architecture boundary without promising a stable internal table layout.
tasklets status and modern alternatives13 Kernel Architecture Modules Drivers and Device Model notes legacy tasklets and prefers workqueues, threaded IRQs, NAPI, and other maintained mechanisms when appropriate.
building a kernel overview13 Kernel Architecture Modules Drivers and Device Model treats kernel builds as lab or vendor-governed production work.
What eBPF is and is not14 eBPF Fundamentals Verifier Maps Programs and Helpers frames eBPF as verified kernel extension, not arbitrary kernel scripting.
BPF instruction set overview14 eBPF Fundamentals Verifier Maps Programs and Helpers describes registers, instructions, helpers, maps, and JIT context.
kretprobes14 eBPF Fundamentals Verifier Maps Programs and Helpers and 16 eBPF Observability Uprobes Kprobes Tracepoints and CO-RE cover return probes and fragility.
raw tracepoints14 eBPF Fundamentals Verifier Maps Programs and Helpers covers lower overhead tracepoint variants and type safety tradeoffs.
Aya overview14 eBPF Fundamentals Verifier Maps Programs and Helpers places Aya as Rust tooling over the same kernel BPF APIs.
when eBPF is the wrong tool14 eBPF Fundamentals Verifier Maps Programs and Helpers lists cases where logs, metrics, perf, tcpdump, or code changes are safer.
TC ingress and egress15 eBPF Networking XDP TC Cilium and Service Dataplanes compares TC hooks with XDP and socket hooks.
socket-level hooks15 eBPF Networking XDP TC Cilium and Service Dataplanes covers socket filters and socket-related cgroup hooks.
Hubble style flows15 eBPF Networking XDP TC Cilium and Service Dataplanes connects flow observability to service and policy context.
USDT probes overview16 eBPF Observability Uprobes Kprobes Tracepoints and CO-RE explains application-defined tracing points.
production overhead management16 eBPF Observability Uprobes Kprobes Tracepoints and CO-RE covers sampling, filtering, aggregation, and rollout limits.
cardinality control16 eBPF Observability Uprobes Kprobes Tracepoints and CO-RE limits map keys, labels, and emitted events.
kernel version compatibility16 eBPF Observability Uprobes Kprobes Tracepoints and CO-RE covers helper availability, BTF, CO-RE, and attach point differences.
Boot failure troubleshooting17 Production Operations Troubleshooting and Runbooks starts from firmware, bootloader, kernel command line, initramfs, root mount, and PID 1.
high CPU incidents17 Production Operations Troubleshooting and Runbooks moves from saturation confirmation to process, thread, syscall, and profile evidence.
memory pressure incidents17 Production Operations Troubleshooting and Runbooks checks PSI, reclaim, cgroups, swap, page cache, and OOM sequence.
OOM incidents17 Production Operations Troubleshooting and Runbooks separates global OOM from memcg OOM and captures killer logs.
load average investigation17 Production Operations Troubleshooting and Runbooks separates runnable work from uninterruptible sleep.
zombie processes17 Production Operations Troubleshooting and Runbooks treats zombies as wait failures owned by parents or service supervisors.
systemd unit failures17 Production Operations Troubleshooting and Runbooks checks unit state, logs, dependency graph, credentials, cgroups, and sandboxing.
data collection checklist17 Production Operations Troubleshooting and Runbooks prioritizes volatile evidence before mutation.
escalation checklist17 Production Operations Troubleshooting and Runbooks defines when to involve application, kernel, network, security, or vendor owners.
post-incident review checklist17 Production Operations Troubleshooting and Runbooks connects symptoms, timeline, contributing factors, and durable follow-up.

Reference Sources Used For Drift-Prone Facts

Official and primary sources should be preferred for current behavior:

DomainPrimary references
Kernel user visible APIshttps://docs.kernel.org/, https://man7.org/linux/man-pages/
cgroup v2https://docs.kernel.org/admin-guide/cgroup-v2.html
eBPF verifier and APIshttps://docs.kernel.org/bpf/, https://docs.kernel.org/userspace-api/ebpf/
systemd units and executionhttps://www.freedesktop.org/software/systemd/man/
nftableshttps://www.netfilter.org/projects/nftables/manpage.html
iproute2 and socketshttps://man7.org/linux/man-pages/man8/ip.8.html, distribution man pages for ss(8)

Ordered notes

Linux Systems Mastery Roadmap

Purpose: Provide a study and practice path for mastering Linux systems engineering from user space fundamentals through kernel internals, containers, production operations, and eBPF. Linux Systems Mastery Roadmap This...

Linux Mental Model User Space Kernel and Hardware

Purpose: Build the operating model for reading Linux as a set of boundaries: hardware, kernel, user space, process APIs, virtual filesystems, boot stages, distribution policy, and the shell environment that operators...

Processes Threads Scheduling Signals and Jobs

Purpose: Build an operator grade mental model for Linux processes, threads, kernel tasks, scheduling, signals, terminals, jobs, daemons, and systemd service lifecycles, with enough detail to debug production incidents...

Memory Virtual Memory Paging Allocators and OOM

Purpose: Build a production ready mental model for Linux virtual memory, paging, allocation, page cache, reclaim, swap, cgroup memory accounting, NUMA, and OOM behavior, with enough practical detail to debug memory...

Filesystems VFS Block IO Page Cache and Storage

Purpose: Build an operator grade mental model of Linux filesystems, VFS objects, block IO, page cache behavior, and storage layers so that local experiments stay educational and production storage changes stay...

Linux Networking TCP IP Routing Firewalling and DNS

Purpose: Build an operator grade mental model of Linux networking, TCP/IP behavior, routing, firewalling, DNS resolution, and packet troubleshooting across learning hosts, production servers, and clusters. Related:...

System Calls ABI libc and User Kernel Boundaries

Purpose: Explain the exact user kernel boundary in Linux: syscall ABI, libc wrappers, errno, vDSO, process creation, file descriptors, sockets, ioctls, seccomp, tracing, and what the stable ABI does and does not...

systemd Boot Init Units Timers Journald and Services

Purpose: Build an operator grade mental model for systemd as PID 1, service supervisor, boot transaction engine, resource controller, and logging substrate, with clear differences between a local learning machine and...

Permissions Users Groups Capabilities and LSMs

Purpose: Build a production focused model of Linux identity, permissions, privilege boundaries, kernel isolation primitives, LSMs, host secrets, patching, and incident response, with explicit separation between local...

cgroups Namespaces Containers and Runtime Isolation

Purpose: Build an operator grade mental model for Linux resource control, namespaces, container runtimes, and the real isolation boundary between a process on a local learning machine, a production Linux host, and a...

Observability Logs Metrics Tracing and Debugging

Purpose: Build an operator grade observability and debugging model for Linux hosts and clusters, connecting logs, metrics, tracing, profiling, packet inspection, and incident triage without confusing local experiments...

Performance Engineering perf Flamegraphs and Capacity

Purpose: Build a production performance engineering playbook for Linux systems that connects capacity models, bottleneck discipline, sampling, perf, flamegraphs, off CPU analysis, and host or cluster profiling into...

Linux Security Hardening Secrets and Incident Response

Purpose: Build a production focused Linux hardening and incident response manual that extends the permissions and LSM model into service hardening, secrets handling, SSH, auditd, patching, CVE response, and bounded...

Kernel Architecture Modules Drivers and Device Model

Purpose: Build a production grade mental model of Linux kernel architecture, modules, drivers, subsystem boundaries, concurrency primitives, crash signals, configuration, and build discipline without treating kernel...

eBPF Fundamentals Verifier Maps Programs and Helpers

Purpose: Build a production grade mental model of eBPF as constrained Linux kernel extension machinery, including verifier behavior, maps, helpers, program types, attach points, portability, tooling, and when not to...

eBPF Networking XDP TC Cilium and Service Dataplanes

Purpose: Explain eBPF networking as programmable packet and socket handling across XDP, TC, socket hooks, cgroup hooks, service dataplanes, Cilium style policy, and production debugging. 15 eBPF Networking XDP TC...

eBPF Observability Uprobes Kprobes Tracepoints and CO-RE

Purpose: Use eBPF observability safely for syscall, process, file, TCP, DNS, latency, off CPU, lock, and application tracing while managing overhead, privacy, portability, and production troubleshooting. 16 eBPF...

Production Operations Troubleshooting and Runbooks

Purpose: Provide production safe Linux incident runbooks that separate local learning experiments from real host and cluster operations, with enough kernel, systemd, network, filesystem, and escalation detail to act...

Linux Ecosystem Tools and Learning Projects

Purpose: Turn Linux systems engineering into a practical tool map and project sequence that is safe on local learning machines, disciplined on production Linux hosts, and realistic for production clusters. Related...

Linux Systems Engineering

Purpose: Map the Linux systems engineering knowledge base into a navigable field manual for deep Linux, kernel, container, performance, security, and eBPF mastery. Linux Systems Engineering This compendium treats Linux...