Panduan Lengkap Instalasi Kali Linux: Dari Persiapan Hingga Konfigurasi Awal

The day the load average hit 400

I still remember staring at a blinking cursor back in 2016, sweating through my shirt while the CTO stood behind me. We had a database server—a beast of a machine for the time, running CentOS 7—that had suddenly crawled to a halt. The load average was sitting at 400. For those new to this, a load average of 1.0 usually means one CPU core is fully utilized. We had 32 cores. So, 400 meant the queue for the CPU was wrapping around the block.

My first instinct, like many people who've just moved past the "beginner" stage, was to run top and look for the process eating all the CPU. But here's the thing: CPU usage was near zero. The system was 98% idle. It didn't make any sense to me at the time.

It took me 45 minutes to realize I was looking at the wrong metric. I wasn't dealing with CPU load; I was dealing with I/O wait. A failing RAID controller was causing every single read/write request to hang, and in Linux, processes waiting on disk I/O are considered "runnable" for load calculations. That was my wake-up call. I realized I knew how to install packages and edit config files, but I didn't actually understand how the OS worked. That's what we're going to talk about today. Not the flashy desktop environments or the latest distro wars, but the plumbing that actually keeps the internet running.

The Kernel isn't a black box: Understanding /proc and /sys

When I started out, I treated the kernel like a sealed engine block—you don't touch it, you just hope it works. But honestly, that's the wrong approach if you want to handle production environments. The Linux kernel exposes almost everything to you as a file, mostly inside the /proc and /sys directories. These aren't real files on a disk; they are direct windows into the kernel's memory.

For example, have you ever wondered how top or htop gets its data? They just read text files in /proc. You can do it yourself. If you look at /proc/meminfo, you'll see the raw memory stats. If you want to change how the kernel handles networking traffic, you don't need to recompile anything. You just write a value to a file.

I remember battling a massive traffic spike on a web server about four years ago. The server kept dropping connections even though we had plenty of RAM. It turned out the default connection queue size was too small. I didn't need to download a patch. I just ran:

echo 1024 > /proc/sys/net/core/somaxconn

That command instantly told the kernel, "Hey, allow more pending connections." Understanding that you can tune the engine while the car is driving is probably the biggest leap from intermediate to advanced Linux usage. Just be careful—I once accidentally echoed a value into the wrong file and panicked the kernel, forcing a hard reboot. Lesson learned: always double-check the path before hitting enter.

Systemd: Stop fighting it and learn the unit files

Look, I get it. If you've been around since the SysVinit days, systemd feels like an overreach. It's huge, it's complex, and it swallows logs into a binary format. I resisted it for years. I wrote angry forum posts about it. But eventually, I had to admit that for managing complex server dependencies, it's actually pretty brilliant.

The power isn't in systemctl start or stop. It's in the unit files. A few months back, I had a Python application that would crash randomly due to memory leaks. While the devs were fixing the code, I needed a band-aid. In the old days, I would have written a hacky cron script to check if the process was running and restart it.

With systemd, I just added these lines to the service file:

• Restart=always
• RestartSec=5
• MemoryMax=2G

That's it. Systemd started monitoring the process, restarting it if it crashed, and hard-killing it if it exceeded 2GB of RAM. If you're still writing shell scripts to manage service lifecycles in /etc/init.d/, you are making your life harder than it needs to be. Learn the syntax for .service and .timer files. It replaces cron for system tasks, and because it handles logging via journalctl, you don't have to worry about your script's output disappearing into the void.

The truth about "Free" RAM

This is probably the most common email I get from junior admins or clients. "Hey, the server is running out of RAM! We need to upgrade!" They send me a screenshot of free -h showing that out of 32GB of RAM, only 500MB is "free."

Here is the reality: Unused RAM is wasted RAM. Linux knows this. If your application isn't using the memory, Linux will borrow it to cache files from the disk. This makes your system feel snappy because reading from RAM is nanoseconds, while reading from an SSD is microseconds (or milliseconds for spinning rust).

You need to look at the "available" column, not the "free" column. The "buff/cache" usage is memory that contains data, but the kernel can drop it instantly if an application actually needs that space. I used to panic about this constantly. I'd even run commands to manually drop the caches (echo 3 > /proc/sys/vm/drop_caches), thinking I was "cleaning" the server. All I was doing was slowing down the system because now it had to re-read everything from the disk. Don't micro-manage the memory manager unless you have a very specific reason, like benchmarking.

Strace: The tool that makes you look like a wizard

If there is one tool that separates the hobbyists from the pros, it's strace. It intercepts the system calls between a program and the kernel. It sounds technical, but it's incredibly practical.

I had a situation last year where a proprietary backup script provided by a vendor was failing silently. No error message, no log output. It just quit. Support told me to "reinstall the OS." Instead, I ran:

strace -f -o output.txt ./backup_script.sh

I opened the text file and searched for "E" (for Error) or "-1". I found a line where the script tried to open a specific temporary file in /tmp and got a "Permission Denied" error. It turned out a previous run of the script (run as root) had left a file there that the current user couldn't overwrite. I deleted the file, and the script worked.

The vendor support team was stunned. They thought I had decompiled their code. Nope, I just watched what the process was asking the kernel to do. Be careful running this on production systems under heavy load, though. strace adds significant overhead. It halts the process for every single system call to record it. If you do this on a high-traffic database, you might cause a timeout. I learned that the hard way on a live MySQL server—latency spiked from 2ms to 150ms instantly.

inodes: The invisible limit

Disk space isn't just about gigabytes. It's also about file count. Every file on your filesystem uses an "inode" (index node) to store metadata like permissions and ownership. The filesystem has a fixed number of these inodes created when you format the disk.

I once managed a mail server that stopped accepting emails. I checked df -h and the disk was only 40% full. I was baffled. I tried to create a test file and got "No space left on device." That's a gaslighting error message if I've ever seen one.

The command I should have run was df -i. It showed inode usage at 100%. A PHP session cleaner script had broken, and there were millions of tiny 4KB session files cluttering the drive. We had plenty of space, but no slots to put files in. Deleting millions of files is also tricky because rm * will fail if the argument list is too long. I had to use find . -type f -delete, which took hours. Now, I always monitor inode usage alongside disk usage.

Permissions beyond chmod 777

We need to talk about permissions. If your solution to a "Permission Denied" error is chmod 777, you are setting yourself up for a security disaster. I see this in tutorials all the time, and it drives me crazy. 777 gives read, write, and execute permissions to everyone. The owner, the group, and the rest of the world.

Real advanced Linux usage involves Access Control Lists (ACLs). Sometimes the standard User-Group-Other model isn't enough. Maybe you need the web server (www-data) to write to a directory, and the developer user to write to it, but you don't want to put them in the same group for security reasons.

setfacl is the command you need. It allows you to grant specific permissions to specific users on a single file or directory.

setfacl -m u:jdoe:rw /var/www/html/config.php

This gives user jdoe read/write access without changing the file's owner or opening it up to the world. Another tool in this realm is chattr. If you have a critical configuration file that you don't want anyone (even root!) to accidentally delete or modify, you can make it immutable:

chattr +i critical_file.conf

Even rm -rf will fail on that file until you remove the attribute. I use this on my /etc/resolv.conf because some network managers love to overwrite it automatically.

Frequently Asked Questions

Why does my server load spike at the same time every day?

If you see a perfectly timed spike, it's almost always a cron job or a systemd timer. The most common culprit is updatedb (which indexes files for the locate command) or log rotation. I check /etc/cron.daily or use systemd-analyze blame to see what services are dragging things down. If it's updatedb, and you have a massive filesystem, it can thrash your disk I/O. I usually disable it on production servers because I rarely use locate there.

Is Swap space actually necessary on modern servers with lots of RAM?

This is a hot debate, but my take is yes, you still need it, but you don't need double your RAM like the old rules said. Swap gives the kernel a safety valve. If you have absolutely zero swap and your memory fills up, the OOM (Out of Memory) Killer kicks in immediately and starts murdering processes to save the kernel. Usually, it kills the database because it's the biggest consumer. With a little bit of swap, the system slows down instead of crashing, giving you time to react. I usually allocate 2GB-4GB of swap regardless of how much RAM I have.

What is the difference between hard links and soft links?

Think of a soft link (symbolic link) like a desktop shortcut in Windows. It points to the original file's path. If you delete the original file, the link breaks. A hard link, however, points to the actual data on the disk (the inode). If you hard link File A to File B, they are effectively the same file with two names. You can delete File A, and the data still exists as File B. I use hard links for backups to save space—if a file hasn't changed, I hard link it to the previous backup.

Why shouldn't I just log in as root?

Convenience is the enemy of security. When you log in as root, one typo in a command like rm can wipe your system. When you use sudo, you have to consciously type it, which gives you a split-second to think, "Do I really want to do this?" Also, from an auditing perspective, if everyone logs in as root, the logs just show "root did this." If everyone logs in as their own user and uses sudo, the logs show "jdoe used sudo to do this." It's about accountability.

It never really ends

The thing about Linux is that you never actually "master" it. You just get better at figuring out why it's broken. I've been doing this for over 15 years, and just last week I learned a new flag for rsync that saved me hours of transfer time (--sparse, if you're curious). The tools change, the kernel evolves, and there is always another layer of abstraction to peel back.

Don't get discouraged if the concepts like inodes or load averages feel abstract right now. The best way to learn isn't reading a blog post; it's breaking a VM and trying to fix it without reinstalling. Go delete a critical library file and see if you can recover. Fill up a disk and try to free space. That's where the real learning happens.

Related Posts