Physical storage media are nothing more than very large blocks of raw
bytes.
The presence of directories and files on them is merely a way of organising
these bytes into data structures that reference one another and the data
blocks making up the files.
This organisation into directories and files constitutes a
file system.
Start a virtual machine with
s7nsa_machine.py A.
When the system starts, it sets up a
root file system designated by
/; this is referred to as
mounting the file system.
Display the contents of
/etc/fstab to observe that the file system
designated by
LABEL=ROOT does indeed correspond to the root
/.
The command
ll /dev/disk/by-label shows that the file system with the
label
ROOT
File systems do not necessarily have a label; it is merely a convenient
way of identifying them.
is simply the
/dev/sda1 device.
Beyond directories and files
There are other specialised elements such as links,
devices, sockets, and pipes.
, a file system can also be used to mount other file systems onto some
of these directories.
Observe in
/etc/fstab that the
/tmp directory of the root file
system is used to mount a virtual
tmpfs file system.
There is no physical storage medium, it is purely software-based, the data
stored in
tmpfs remains in memory and disappears upon reboot.
The
mount command shows that many other virtual file systems are
mounted by various services during startup.
Display the contents of the root directory with
ll /.
Observe that some entries are
links to other paths;
for example,
/bin is simply
/usr/bin.
These directories are organised according to the
FHS
convention.
Among them, the most commonly used are:
- /root: the administrator's home directory,
- /home: contains the home directories of the various users,
- /tmp: a location for temporary files,
- /etc: the system and service configuration files,
- /bin, /usr/bin: executable programs,
- /lib, /usr/lib: libraries required by programs,
- /dev: devices recognised by the operating system,
- /proc, /sys: virtual file systems used to interact with the operating system kernel,
- /boot: files required to boot the machine,
- /var: data generated by services (caches, logs, etc.).
List the contents of some of these directories.
It is very common to need to search for files within the directory tree.
For example, try the command
find / -name 'ssh*config'.
Of course, if you have a rough idea of the location, you can narrow the
search vith
find /etc -name 'ssh*config'.
It can also be useful to search for files based on the information they
contain.
For example, try the command
grep -Fir deny /etc.
Using
extended
regular expressions
These patterns would deserve to be studied in depth.
allows for more advanced searches, such as
grep -Eir '^#\s?(permit|allow|deny)'
This matches lines that start with #, followed by optional
separators, and then one of the three searched keywords.
.
A common search pattern concerns the size occupied by files and
directories.
It is also very common to be interested in the size occupied by files
or directories.
For example, try the command
du -ms /usr/share/*; you will see that
each path is preceded by its size in megabytes.
The list is very long, making it difficult to spot the largest items.
The command
du -ms /usr/share/* | sort -n | tail -20 sorts this
list numerically and displays only the last few lines.
If you want to search for the largest files within a directory tree,
you can proceed as follows:
- find /usr -type f displays the list of files under the /usr
directory; this list is very long, and you can interrupt it using
the Ctrl c key combination.
- find /usr -type f | xargs du -ms runs the du -ms command
with all the paths provided by find as additional parameters;
once again, the long list can be interrupted with Ctrl c.
- find /usr -type f | xargs du -ms | sort -n | tail -20
sorts this list numerically and retains only the last few lines.
It is also quite common to focus searches on the date.
For example, try the commands
ll -t /etc | head and
ll -t | tail and observe the displayed dates.
To search within a chosen directory for items modified more recently
than a certain number of minutes, you can use
find /etc -mmin -180.
And to search for items older than a specific date, you can use
find /etc ! -newermt '2025-06-01'.
The
find command is very useful for searching for items based on a
wide variety of criteria, but it has the drawback of traversing the
entire specified directory tree, which can be slow if it is very large.
When the search is only based on the name, it can be more efficient to use
the
locate command.
For example, try
find / -name '*sshd_config*' and
locate -b sshd_config ; both searches should yield similar results.
Repeat with
time find / -name '*sshd_config*' and
locate -b sshd_config; compare the reported execution
times (real).
locate is much faster than
find because it simply consults a
prebuilt path database, whereas
find traverses the entire directory
tree.
Here the file system is minimal, so the difference is negligible, but on
a large file system the difference can be very noticeable.
During the previous
find traversals, the operating system cached
information about the directories it visited, which avoids having to
read all the data again from the storage device.
If these previous traversals had not occurred, the situation would have
been even worse, as the storage devices would have been accessed much
more intensively.
Simulate this situation by running
echo 3 >/proc/sys/vm/drop_caches
and then rerun the command
time find / -name '*sshd_config*' to
observe the new execution time.
Copy the file
/etc/ssh/sshd_config to your
/root directory and
rerun
find / -name '*sshd_config*'; you will see that this copied
file is indeed found.
Then rerun
locate -b sshd_config and notice that the newly copied
file does not appear.
This is because the prebuilt path database used by
locate has not
been updated.
Run
updatedb and then rerun
locate -b sshd_config; this time,
the recently copied file will appear.
For
locate to be useful for recent files,
updatedb must be run
from time to time (for example, daily).