Cloud & DevOps

Advanced Bash Scripting for Developers

Anurag Sinha
9 min read 0 Comments

Bash Is Ugly, Arcane, and Irreplaceable. Here’s How to Stop Fighting It.

Last year, at about 2 AM on a Saturday, a deployment pipeline at a company I was consulting for decided to eat itself. Kubernetes pods cycling in a crash loop. Three microservices refusing to talk to each other. The on-call engineer had tried the usual — restart, roll back, check the logs. Nothing worked. Twenty minutes in, I SSH’d into the bastion host, wrote a 40-line bash script that drained connections from the broken services, rotated their secrets, and restarted them in dependency order. Pipeline green in under a minute.

Nobody on the team knew Bash well enough to have done that. And look, I get it. Bash is weird. The syntax looks like it was designed by someone who was angry at readability. Half the features feel like accidents that got standardized. Why would anyone invest time learning this when Python exists? When Go exists? When purpose-built automation tools can do the same thing with nicer error messages?

Because Bash is already there. On every Linux box. In every CI runner. On every Mac. In every Docker container you’ll ever build. Zero dependencies. Zero installation. You open a terminal and it’s waiting for you. That ubiquity isn’t a small thing — it’s the thing. When the server is on fire and you need to fix it now, you don’t have time to pip install anything.

So yeah. It’s ugly. It’s arcane. And you need to know it. Let’s make peace with it.

Variables and Parameter Expansion

Bash variables are strings. All of them. Even the ones that look like numbers. There’s no type system, no declarations, no compiler catching your mistakes. What you get instead is parameter expansion — a set of string manipulation tricks baked directly into the shell that are surprisingly powerful once you memorize the syntax (and you will have to memorize it, because nobody can guess what ${version%%.*} does from first principles).

#!/bin/bash

# Variable assignment (no spaces around =)
project_name="my-web-app"
version="2.4.1"
deploy_env="${1:-staging}"  # Default to staging if no argument

# String manipulation with parameter expansion
echo "Project: ${project_name}"
echo "Uppercase: ${project_name^^}"
echo "Replace hyphens: ${project_name//-/_}"

# Substring extraction
echo "Major version: ${version%%.*}"    # 2
echo "Minor.patch: ${version#*.}"       # 4.1

# Default values and error checking
db_host="${DB_HOST:?ERROR: DB_HOST environment variable is not set}"
db_port="${DB_PORT:-5432}"
log_level="${LOG_LEVEL:-info}"

# Arrays
environments=("development" "staging" "production")
echo "Deploy targets: ${environments[*]}"
echo "Number of environments: ${#environments[@]}"

# Associative arrays (Bash 4+)
declare -A service_ports
service_ports[web]=8080
service_ports[api]=3000
service_ports[worker]=9090

for service in "${!service_ports[@]}"; do
    echo "$service runs on port ${service_ports[$service]}"
done

A few things worth your attention. That ${1:-staging} pattern — default values for arguments — shows up constantly in production scripts. Ship a deployment script that explodes when someone forgets an argument, and you’ll hear about it from the on-call engineer at 3 AM. Ship one that defaults to staging and logs what it’s doing, and nobody calls you at all. Defensive defaults aren’t optional in Bash. They’re survival.

The :? syntax is the aggressive cousin of :-. Where :- quietly substitutes a default, :? kills the script with an error message if the variable isn’t set. Use :- for “I have a sensible fallback.” Use :? for “this script cannot possibly run without this value, and I want it to fail loudly rather than silently do something wrong.”

Associative arrays (the declare -A ones) require Bash 4 or later. If you’re on macOS, the default /bin/bash is still version 3.2 because Apple refuses to ship GPLv3 software. Install Bash 5 via Homebrew and use #!/usr/bin/env bash as your shebang line. Or discover this the hard way when your script works on Linux CI but breaks on every developer’s MacBook.

Loops: More Patterns Than You’d Expect

Bash has more looping constructs than most people realize. Picking the right one for each job makes the difference between a script that reads cleanly and one that makes future-you curse past-you.

#!/bin/bash

# Iterate over files with a glob pattern
echo "=== JavaScript files ==="
for file in src/**/*.js; do
    [[ -f "$file" ]] || continue
    line_count=$(wc -l < "$file")
    echo "$file: $line_count lines"
done

# C-style for loop
echo "=== Retry loop ==="
max_retries=5
for ((i = 1; i <= max_retries; i++)); do
    echo "Attempt $i of $max_retries"
    if curl -sf "http://localhost:8080/health" > /dev/null 2>&1; then
        echo "Service is healthy!"
        break
    fi
    sleep $((i * 2))  # Exponential-ish backoff
done

# While loop reading lines from a file
echo "=== Processing config ==="
while IFS='=' read -r key value; do
    [[ "$key" =~ ^#.*$ ]] && continue  # Skip comments
    [[ -z "$key" ]] && continue          # Skip empty lines
    export "$key=$value"
    echo "Set $key=$value"
done < ".env"

# Process substitution to loop over command output
echo "=== Large files ==="
while IFS= read -r file; do
    size=$(du -h "$file" | cut -f1)
    echo "$size  $file"
done < <(find . -type f -size +10M 2>/dev/null)

That retry loop with sleep $((i * 2)) is one I reach for constantly. Waiting for a service to come up after a deploy, waiting for a database migration to finish, waiting for a DNS change to propagate. The exponential-ish backoff (it’s linear really, but close enough) keeps you from hammering a struggling service while still catching it quickly once it’s ready.

The while IFS= read -r pattern for processing command output deserves a moment. You might think for file in $(find ...) would work, and it will — until you hit a filename with a space in it. Then word splitting destroys your script. The while read with process substitution handles spaces, special characters, all of it. It’s uglier. It’s also correct. In Bash, those two things correlate more often than they should.

One gotcha with the .env file reader: if the last line of the file doesn’t end with a newline, read won’t process it. Always end your config files with a newline. Or add || [[ -n "$key" ]] to the while condition. Another one of those Bash quirks that bites everyone exactly once.

Functions and Error Handling: Making Bash Behave

Raw Bash is reckless. A command fails? Keep going. A variable is misspelled? Use an empty string. A pipe fails halfway through? Ignore it. Writing a serious script without fixing these defaults is like driving without seatbelts — fine until it isn’t.

Three words: set -euo pipefail.

#!/bin/bash
set -euo pipefail

# Trap for cleanup on exit
cleanup() {
    local exit_code=$?
    echo "Cleaning up temporary files..."
    rm -rf "$TEMP_DIR"
    if [[ $exit_code -ne 0 ]]; then
        echo "Script failed with exit code $exit_code" >&2
    fi
    exit "$exit_code"
}
trap cleanup EXIT

TEMP_DIR=$(mktemp -d)

# Function that returns a value via stdout
get_latest_tag() {
    local tag
    tag=$(git describe --tags --abbrev=0 2>/dev/null) || {
        echo "v0.0.0"
        return
    }
    echo "$tag"
}

# Function with validation
deploy_service() {
    local service="$1"
    local environment="$2"
    local version="${3:-latest}"

    # Validate inputs
    if [[ -z "$service" || -z "$environment" ]]; then
        echo "Usage: deploy_service SERVICE ENVIRONMENT [VERSION]" >&2
        return 1
    fi

    local valid_envs=("staging" "production")
    if [[ ! " ${valid_envs[*]} " =~ " ${environment} " ]]; then
        echo "ERROR: Invalid environment '$environment'" >&2
        echo "Valid options: ${valid_envs[*]}" >&2
        return 1
    fi

    echo "Deploying $service v$version to $environment..."

    # Simulate deployment steps
    echo "  Pulling image: registry.example.com/$service:$version"
    echo "  Running health checks..."
    echo "  Switching traffic..."
    echo "  Deploy complete."
}

# Function with retry logic
with_retry() {
    local max_attempts="$1"
    shift
    local cmd=("$@")
    local attempt=1

    until "${cmd[@]}"; do
        if ((attempt >= max_attempts)); then
            echo "FAILED after $max_attempts attempts: ${cmd[*]}" >&2
            return 1
        fi
        echo "Attempt $attempt failed, retrying in ${attempt}s..."
        sleep "$attempt"
        ((attempt++))
    done
}

# Usage
current_tag=$(get_latest_tag)
echo "Current version: $current_tag"
deploy_service "api-server" "staging" "2.4.1"
with_retry 3 curl -sf http://localhost:8080/health

Let me break down what set -euo pipefail actually does, because each flag earns its place.

-e exits the script immediately when any command returns a non-zero exit code. Without it, a failed rm or curl is silently ignored and the script keeps running on corrupted assumptions. With it, failure is loud and fast.

-u treats unset variables as errors. Typo $TEMO_DIR instead of $TEMP_DIR? Without -u, that evaluates to an empty string. With -u, the script stops and tells you what went wrong. Saved me from an rm -rf "/$WRONG_VAR" disaster at least once. You can probably guess what that would have done.

pipefail catches failures inside pipes. Without it, curl something | grep pattern returns the exit code of grep, not curl. If curl fails but grep succeeds (on empty input), your script thinks everything is fine. Pipefail makes the whole pipe fail if any command in it fails.

The trap cleanup EXIT pattern is equally important. Whatever happens — success, failure, Ctrl+C, an unexpected error — the cleanup function runs. Temporary directories get removed. Connections get closed. Locks get released. Without a trap, your /tmp fills up with orphaned directories and your colleagues start sending passive-aggressive Slack messages.

That with_retry function is worth stealing. Pass it an attempt count and any command, and it’ll retry with increasing delay. Generic enough to wrap around any flaky operation. I’ve used it for health checks, database connections, DNS lookups, S3 uploads — anything that might fail once but probably won’t fail three times in a row.

A Real-World Script: Project Bootstrapper

Theory is fine. Let’s build something you’d actually use. Here’s a script that sets up a new development project from scratch — creates the directory structure, initializes git, sets up a virtual environment or npm, configures pre-commit hooks, and runs the initial test suite.

#!/bin/bash
set -euo pipefail

PROJECT_NAME="${1:?Usage: $0 PROJECT_NAME [python|node]}"
PROJECT_TYPE="${2:-python}"
BASE_DIR="${HOME}/projects"

log() { echo "[$(date '+%H:%M:%S')] $*"; }
error() { echo "[ERROR] $*" >&2; exit 1; }

# Validate project type
[[ "$PROJECT_TYPE" =~ ^(python|node)$ ]] || error "Unknown type: $PROJECT_TYPE"

PROJECT_DIR="${BASE_DIR}/${PROJECT_NAME}"
[[ -d "$PROJECT_DIR" ]] && error "Directory already exists: $PROJECT_DIR"

log "Creating project: $PROJECT_NAME ($PROJECT_TYPE)"
mkdir -p "$PROJECT_DIR"/{src,tests,docs,.github/workflows}
cd "$PROJECT_DIR"

# Initialize git
git init
cat > .gitignore <<'GITIGNORE'
__pycache__/
*.pyc
node_modules/
.env
dist/
build/
*.egg-info/
.venv/
coverage/
GITIGNORE

# Language-specific setup
case "$PROJECT_TYPE" in
    python)
        log "Setting up Python project..."
        python3 -m venv .venv
        source .venv/bin/activate
        cat > requirements.txt <<'EOF'
pytest>=7.0
pytest-cov>=4.0
ruff>=0.1.0
EOF
        pip install -r requirements.txt -q
        cat > src/__init__.py <<'EOF'
"""${PROJECT_NAME} - A Python project."""
EOF
        cat > tests/test_main.py <<'EOF'
def test_placeholder():
    assert True
EOF
        log "Running initial tests..."
        pytest tests/ -v
        ;;
    node)
        log "Setting up Node.js project..."
        npm init -y -q
        npm install --save-dev jest eslint -q
        cat > src/index.js <<'EOF'
module.exports = { hello: (name) => `Hello, ${name}!` };
EOF
        mkdir -p tests
        cat > tests/index.test.js <<'EOF'
const { hello } = require('../src/index');
test('greets by name', () => {
    expect(hello('World')).toBe('Hello, World!');
});
EOF
        npx jest --passWithNoTests
        ;;
esac

# Create pre-commit hook
cat > .git/hooks/pre-commit <<'HOOK'
#!/bin/bash
set -e
echo "Running pre-commit checks..."
if [[ -f "requirements.txt" ]]; then
    ruff check src/ tests/ || exit 1
    pytest tests/ -q || exit 1
elif [[ -f "package.json" ]]; then
    npx eslint src/ || exit 1
    npx jest --passWithNoTests || exit 1
fi
echo "All checks passed."
HOOK
chmod +x .git/hooks/pre-commit

# Initial commit
git add -A
git commit -m "feat: initialize $PROJECT_NAME ($PROJECT_TYPE)"

log "Project ready at $PROJECT_DIR"
log "Files created:"
find . -not -path './.git/*' -not -path './node_modules/*' \
    -not -path './.venv/*' -type f | sort | head -20

Every pattern from the earlier sections shows up here. set -euo pipefail at the top. Parameter expansion with :? for required arguments and :- for defaults. Input validation before doing anything destructive. Functions for logging. A case statement for branching logic. Heredocs for multi-line file creation.

This script takes about 15 seconds to run. Setting up the same thing manually takes 10-15 minutes, and you'll forget something every third time -- the pre-commit hook, the .gitignore, the initial test to make sure the test runner is wired up correctly. Automation isn't about saving time on a single run. It's about eliminating the small mistakes you make when you're doing the same thing for the fiftieth time and your brain decides to skip a step.

Defensive Scripting: The Stuff Nobody Teaches

Beyond the basics, a few practices separate scripts that work from scripts that work reliably.

Quote everything. "$variable", not $variable. Unquoted variables undergo word splitting and glob expansion. A filename with a space in it, a variable that contains a *, an empty variable that collapses an argument list -- all of these will break your script in ways that are maddening to debug. Just quote. Always.

Use [[ ]] instead of [ ]. The double-bracket form handles empty strings without errors, supports regex matching with =~, and doesn't require quoting variables inside it (though you should quote anyway, because habits). Single brackets are POSIX-compatible but full of traps. Unless you're writing for /bin/sh specifically, use double brackets.

Declare variables local inside functions. Without local, every variable in a function is global. A helper function that uses i as a loop counter will clobber the i in whatever called it. This is a class of bug that produces absolutely baffling behavior. local prevents it entirely.

Run shellcheck. shellcheck.net is a static analysis tool for shell scripts. It catches unquoted variables, useless uses of cat, POSIX compatibility issues, and dozens of other common mistakes. Install it locally with apt install shellcheck or brew install shellcheck and run it on every script before committing. Better yet, add it to your CI pipeline so nobody can merge a script that shellcheck flags.

Log what you're doing. Every script that modifies system state should print what it's about to do before doing it. Not just for debugging -- for auditability. When the 3 AM incident review happens and someone asks "what exactly did the script change?", you want those logs to exist.

The Script That Saved Saturday Morning

Remember that 2 AM deployment disaster I mentioned at the start? Let me close the loop on it.

The bash script I wrote that night wasn't clever. It wasn't elegant. It didn't use any particularly advanced features. What it did was automate, in the right order, the exact sequence of steps that would have taken the on-call engineer 45 minutes to do manually -- drain connections, wait for in-flight requests to complete, rotate the expired secrets that had caused the cascade failure, restart each service after its dependencies were healthy, and verify the health endpoints before declaring victory.

Forty lines. Maybe fifty. I didn't count. I was tired and the monitoring dashboards were all red.

But here's the part that mattered. After we confirmed the fix, I cleaned up the script, added comments, added error handling, added the set -euo pipefail and the trap and the logging functions. Then I committed it to the team's runbooks repository with a description: "Emergency service rotation for secret expiry cascade."

Six weeks later, the same failure happened again. Different engineer on call. They found the script, ran it, fixed the problem in 90 seconds, and went back to sleep. Nobody had to call anyone. Nobody needed to SSH in and think on their feet at 2 AM.

That's the real value of Bash scripting. Not the language itself -- which, let's be clear, is a mess of historical compromises and POSIX compatibility hacks held together by stubborn convention. The value is in taking the hard-won knowledge from an incident, encoding it in a script that anyone can run, and making sure the next person who faces that problem doesn't have to be an expert. They just have to type ./fix-secret-cascade.sh and hit Enter.

Bash is ugly. Bash is arcane. Bash is every developer's reluctant old friend who shows up precisely when you need them most.

Stop fighting it. Learn it well enough that when the server is on fire, you're the one who can write the script that puts it out.

Leave a Comment

Your email address will not be published. Required fields are marked with an asterisk.