Linux CLI Best Practices
A condensed summary of the 25 most important Linux CLI practices for Node.js backend teams - shared portable content; script common ops tasks.
-
Prefer SIGTERM over SIGKILL:
kill <PID>first so Fastify/Expressclose()drains HTTP and DB pools;kill -9only after graceful timeout (Process Inspection). -
Run Node APIs under systemd or Kubernetes: Not naked
node &in SSH sessions - processes die when the session drops. -
Persist ops sessions with tmux: Long log tails and port-forward tunnels survive disconnects.
-
Allow SSH before enabling ufw:
ufw allow 22/tcpbeforeufw enableor lock yourself out. -
Non-root binds high ports: Run Node on 3000+; put nginx/caddy on 443 in front - never run Node as root for port 80.
-
Diagnose with journalctl and kubectl logs:
systemctl status→journalctl -u <svc>on VMs;kubectl logs+describein k8s. -
Lock down secret files:
chmod 600on.envand credential files on developer machines. -
Prefer ripgrep over grep in repos:
rgrespects.gitignoreand skipsnode_modules/. -
Scope find and grep: Never search from
/unfiltered - pass project dir and excludenode_modules. -
Use
jqon JSON logs: Pino one-line JSON -jq 'select(.level=="error")'beatsgrep Error(CLI Basics for Node). -
curl -sf for health smoke: Fail scripts on 5xx; add
-w time_totalfor latency spot checks. -
ss replaces netstat:
ss -tlnpfor listening ports and backlog summary. -
lsof for EADDRINUSE:
lsof -i :3000before killing random node processes. -
Start scripts with
set -euo pipefail: Fail fast; undefined variables error; pipe failures propagate. -
Use
$()not backticks: Nested command substitution and clearer quoting. -
Redirect stderr:
cmd > out.log 2>&1: Capture both streams for post-mortem bundles. -
Use npm ci in CI scripts: Reproducible installs from lockfile - never
npm installin deploy pipelines. -
Pin Node in CI and Docker:
24.18.0matches.nvmrcandengines. -
Propagate x-request-id in curl smoke tests: Correlate manual checks with centralized logs.
-
Free stuck dev ports with SIGTERM first:
lsof -ti :3000 | xargs killbefore-9. -
NODE_OPTIONS heap bump is temporary:
--max-old-space-sizefor build OOM; recurring OOM needs leak triage. -
kubectl port-forward for private APIs: Do not expose prod to public internet for debugging.
-
Commit bin/smoke.sh to repo: Same checks locally, in SSH runbooks, and post-deploy hooks.
-
macOS sed quirk for portable scripts:
sed -i ''on macOS vssed -ion Linux - document in CONTRIBUTING or usegnu-sed. -
Document platform-specific ops in runbooks: AWS ECS exec vs kubectl exec - link from service README.
FAQs
Install jq on production servers?
Prefer running jq from bastion against forwarded logs. Debug containers may include jq; minimal prod images often omit it.
htop in Alpine?
Install in debug sidecar or use top -b -n 1 one-shot. Do not bloat production image for interactive tools unless SRE approves.
How much CLI skill do frontend hires need?
Day one: curl, jq, lsof. Week one: kubectl logs, smoke scripts. Deep systemd/nginx is SRE-partnered (Onboarding Basics).
Related
- CLI Basics for Node - curl, jq, ss examples
- Process Inspection - top, htop, lsof
- Incident Triage Skill - incident command bundle
- Runtime Ops Best Practices - production process policy
Stack versions: This page was written for Node.js 24.18.0 (Active LTS), npm 10+, TypeScript 5.6+, Express 5, Fastify 5, and NestJS 11.