Industrial Linux Server Administration: Commands, Services, and Permissions
systemd: Managing Services
Every modern Linux server uses systemd to start, stop, and monitor all services. When you deploy an industrial application, systemd ensures it starts automatically after a reboot and restarts if it crashes.
Key Commands
sudo systemctl start factory-monitor # Start a service
sudo systemctl stop factory-monitor # Stop a service
sudo systemctl enable factory-monitor # Enable auto-start on boot
sudo systemctl status factory-monitor # Check service status
Creating a Custom Service
# /etc/systemd/system/factory-monitor.service
[Unit]
Description=Factory Monitoring Application
After=network.target
[Service]
Type=simple
User=factory
WorkingDirectory=/opt/factory-monitor
ExecStart=/opt/factory-monitor/bin/factory-monitor
Restart=always
RestartSec=5
Environment=RUST_LOG=info
Environment=DATABASE_URL=ws://localhost:8000
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable --now factory-monitor
Firewall: ufw and iptables
A factory server without a firewall is an open invitation for unauthorized access.
ufw (Uncomplicated Firewall)
sudo ufw enable
sudo ufw allow 22/tcp # SSH
sudo ufw allow 8080/tcp # Application
sudo ufw allow 3000/tcp # Grafana
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw status verbose
iptables (Advanced)
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.10.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A INPUT -j DROP
User Management and Permissions
Never run production services as root. Create dedicated users with minimal permissions.
sudo useradd --system --no-create-home --shell /usr/sbin/nologin factory
sudo useradd -m -s /bin/bash admin-joe
sudo usermod -aG sudo admin-joe
sudo chown -R factory:factory /opt/factory-monitor
sudo chmod 750 /opt/factory-monitor
SSH Key Authentication
ssh-keygen -t ed25519 -C "joe@drmachine"
ssh-copy-id -i ~/.ssh/id_ed25519.pub admin-joe@factory-server
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
Logs: journalctl and /var/log Files
When a machine stops reporting data at 3 AM, logs are your first line of investigation.
journalctl
sudo journalctl -b # All logs since last boot
sudo journalctl -u factory-monitor -f # Follow a service
sudo journalctl --since "30 min ago" # Recent logs
sudo journalctl -p err -b # Errors only
Important Log Files
| File | Purpose |
|---|---|
/var/log/syslog |
General system messages |
/var/log/auth.log |
Authentication attempts |
/var/log/kern.log |
Kernel messages |
Log Rotation
# /etc/logrotate.d/factory-monitor
/var/log/factory-monitor/*.log {
daily
missingok
rotate 14
compress
notifempty
create 0640 factory factory
}
Scheduled Tasks: cron and systemd Timers
cron
crontab -e
0 2 * * * /opt/scripts/backup-surrealdb.sh >> /var/log/backup.log 2>&1
0 3 * * 0 /opt/scripts/cleanup-logs.sh
*/5 * * * * /opt/scripts/health-check.sh || /opt/scripts/alert.sh
systemd Timers
# /etc/systemd/system/factory-backup.timer
[Unit]
Description=Daily Factory Database Backup
[Timer]
OnCalendar=*-*-* 02:00:00
Persistent=true
[Install]
WantedBy=timers.target
# /etc/systemd/system/factory-backup.service
[Unit]
Description=Factory Database Backup Job
[Service]
Type=oneshot
User=factory
ExecStart=/opt/scripts/backup-surrealdb.sh
sudo systemctl enable --now factory-backup.timer
Practical Example: Setting Up an Industrial Application Server From Scratch
# 1. Update the system
sudo apt update && sudo apt upgrade -y
# 2. Create application user
sudo useradd --system --no-create-home --shell /usr/sbin/nologin factory
# 3. Install Docker
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker factory
# 4. Configure firewall
sudo ufw allow 22/tcp && sudo ufw allow 8080/tcp && sudo ufw allow 3000/tcp
sudo ufw enable
# 5. Harden SSH
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# 6. Automatic security updates
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
# 7. Deploy and verify
cd /opt/factory-monitor && docker compose up -d
docker compose ps && sudo ufw status
Summary
Linux system administration is the foundation of reliable industrial deployments. systemd manages your services, firewalls protect your network perimeter, proper user management limits the damage from compromised accounts, logs help you diagnose problems, and scheduled tasks automate routine maintenance. In the next lesson, you will learn CI/CD pipelines to automate the build, test, and deployment process.