Mass Virtual Hosting Part Five: Dynamic MySQL Based Apache vhost Configuration with mod_vdbh

Please skip to Part 6 for advanced vhost configuration with database-backed flat files.

mod_vdbh is a relatively obscure gem of an Apache module. It doesn't look like it has been maintained in years and its website is gone so Google (at present) won't give you much on it except the usual package list results and odd blog post like this. Despite living in a day of quadruple-digit version numbers, some software reaches a point where it's "just done." (if you don't believe me look at qmail). I'm hoping that's the case here, because if there's any 0day or problems with future versions of apache we're SOL. FreeBSD and Gentoo keep it in their package managers and that's more or less good enough for me.

The README is hard to find so I'm posting it below for your viewing pleasure:

Configuring mod_vdbh in Apache Configure Files

In order to use mod_vdbh with Apache Web Server server configuration blocks will need to be configured with mod_vdbh configuration directives described in the table below. mod_vdbh configuration directives must be located in a server configuration block (ie <VirtualHost></VirtualHost>).

vdbh    This switch makes mod_vdbh active for the specified server.
vdbh_CLIENT_COMPRESS    Enables the CLIENT_COMPRESS option with a MySQL server allowing the connection data to be compressed. Using this option will likely require more cpu time and less network bandwidth.
vdbh_CLIENT_SSL Enables the CLIENT_SSL option when communicating with a MySQL server.
vdbh_MySQL_Database     Sets the database name to use when running a query for file name translations.
vdbh_MySQL_Table        Sets the table name to use when running a query for file name translations.
vdbh_MySQL_Host_Field   Sets the name of the host field in the table specified by vdbh_MySQL_Table.
vdbh_MySQL_Path_Field   Sets the name of the path field in the table specified by vdbh_MySQL_Table.
vdbh_MySQL_Environment_Field    Sets the name of the environment field in the table specified by vdbh_MySQL_Table. This optional field contains data that will be set to the VDBH_ENVIRONMENT variable.
vdbh_MySQL_Host Sets the internet hostname where the MySQL server is located at. This option is not required and defaults to localhost.
vdbh_MySQL_Port Sets the port number to connect to when making a connection to a MySQL server. This option is not required and defaults to 0 for using a UNIX domain socket.
vdbh_MySQL_Username     Sets the username required to gain access to the MySQL server. This option is not required.
vdbh_MySQL_Password     Sets the password required to gain access to the MySQL server. This option is not required.
vdbh_Path_Prefix        Sets an optional location to prefix translations by. This option is not required.
vdbh_Default_Host       Sets the default host to use if a non-HTTP/1.1 request was received. This option is not required and usually won't do anything because the Apache Web Server by default catches these errors.
vdbh_Declines   Sets a list of glob patterns to match URIs against. If any match occurs then the URI is declined to the next translate phase.

The vdbh_MySQL_Host_Field and vdbh_MySQL_Path_Field along with vdbh_MySQL_Environment_Field are available as environment variables and can be included in logs if a LogFormat is defined for them. The environment variables are labled VDBH_HOST, VDBH_PATH, and VDBH_ENVIRONMENT. Information on how to use LogFormat is available at http://httpd.apache.org/docs/mod/mod_log_config.html. An example configuration may look something like this.


vdbh On
vdbh_MySQL_Database virtual_hosts
vdbh_MySQL_Table virtual_hosts
vdbh_MySQL_Host_Field server
vdbh_MySQL_Path_Field path
vdbh_MySQL_Environment_Field environment_variable
vdbh_Default_Host julia.fractal.net
vdbh_Declines .htpasswd *.txt

The corresponding database schema would look like this.

CREATE TABLE virtual_hosts (
server char(255) NOT NULL,
path char(255),
environment_variable char(255),
PRIMARY KEY (server)

INSERT INTO virtual_hosts VALUES ('julia.fractal.net','/export/home/mlink/public_html','julia.fractal.net');
INSERT INTO virtual_hosts VALUES ('visualphixation.com','/export/home/carlosp','visualphixation.com');
INSERT INTO virtual_hosts VALUES ('www.visualphixation.com','/export/home/carlosp','www.visualphixation.com');
INSERT INTO virtual_hosts VALUES ('www.fractal.net','/export/web/www.fractal.net','www.fractal.net');
INSERT INTO virtual_hosts VALUES ('fractal.net','/export/web/www.fractal.net','fractal.net');

Other handlers should still work accordingly.  mod_vdbh declares its translate_name phase as AP_HOOK_FIRST so it can run before other translations.  An example configuration allowing mod_tcl in specific directories follows.

vdbh On
vdbh_MySQL_Database virtual_hosts
vdbh_MySQL_Table virtual_hosts
vdbh_MySQL_Host_Field server
vdbh_MySQL_Path_Field path
vdbh_MySQL_Environment_Field environment_variable
vdbh_Default_Host julia.fractal.net
vdbh_Declines .htpasswd *.txt

<Directory /export/web/www.fractal.net>
AddHandler tcl-handler tm

Tcl_ContentHandler content_handler

<Directory /export/web/www.fractal.net/images>
SetHandler default-handler

Options Indexes FollowSymLinks

AllowOverride None

Order allow,deny
Allow from all

<Directory /export/web/www.fractal.net/files>
SetHandler default-handler

Options Indexes FollowSymLinks

AllowOverride None

Order allow,deny
Allow from all

Additional Information

mod_vdbh assumes that its connection to the MySQL server is persistent. If there are excessive disconnections try setting the wait_timeout variable for MySQL to a larger value. Apache Web Server 2.0 is required, and at least MySQL 3.23 is required.


mod_vdbh is an Apache 2.0 module using MySQL libraries, more about Apache Web Server can be found at http://www.apache.org/. Documentation regarding MySQL can be found at http://www.mysql.com/

That's right. That's all there is to it. If you've been following the other parts in this series on Mass Virtual Hosting you should have a keen eye for the ways MySQL-backed services can be used (sexually?) to integrate into your custom web hosting front-end - or anything that interfaces with MySQL/ODBC!

Remote Ethernet Packet Capture with Wireshark and tshark over SSH

Wireshark is a powerful and popular packet capture and analysis suite that runs on Windows and most flavours of UNIX. Often one finds one's self in need of its GUI's abilities on remote, headless servers without X windows (and who wants to install X on a server if they don't have to?). One has three options: use a text/ncurses based packet capture system like ettercap to analyze the traffic on the server itself, save packet capture files and move them to your Wireshark host or pipe the output from tshark - Wireshark's text interface - to your client in real-time. The last option suits me best; I don't want to have to learn two packet capture suites if I can only use one and it is often useful to see the packets fly by as they come.

To compile Wireshark without the GUI, and therefore all of its X windows dependencies, on Gentoo:

# USE="-gtk" emerge wireshark

Or disable the GTK use flag in your /etc/make.conf.

The next step is to establish passwordless root ssh access to the target machine. This should only be temporary as it is best practice to disallow any form of remote login for the root user. Please read my previous article, Passwordless or Single Password SSH with Key Exchange but be sure to use a blank passphrase for your key and disregard the part about restricting root access. Once this has been completed and you are able to log in to the target server by simply typing ssh hostname you are ready to begin your packet capture.

On the client which runs the GUI version of Wireshark, open up a shell as root and run the following:

wireshark -k -i < ( ssh -l root xxx.xxx.xxx.xxx /usr/bin/tshark -i eth0 -w - )

Be sure to change the path to tshark if this does not reflect your installation. Adjust the interface (-i flag) to match your target.

Mass Virtual Hosting Part Three: Disk Quotas (including NFS)

Disk quotas allow one to limit the amount of space a user or group may use on a particular filesystem. The traditional linux quota implementation allows two sorts of limit: soft limits, which the user/group may exceed for a given grace period and hard limits which may not be exceeded at all. Soft limits are great in situations where users may need significant amounts of storage only temporarily, as in the case with burning ISOs or intensive rendering software and other temporary-file generating activity. In a webhosting environment one typically offers different plans with a set limit of storage, so soft limits are probably redundant for our purposes. Since quotas can be applied to any user or group they can also be used to ensure particular daemons do not run roughshod over the filesystem, like apache access logs might during an HTTP GET denial of service attack.

If you will be using NFS to remotely mount filesystems you intend to implement quotas on you must implement them on the NFS server and use some sort of UID/GID consistency like NIS or libnss-mysql. Your kernel must be compiled with quota support or have it available as a module to enforce the limits. It is possible to set up quotas on a system running a quota-incapable kernel then activate them later by incorporating quota support. In menuconfig, set this option to module or compiled-in, if you choose to compile it as a module ensure that it is automatically loaded:

  • File systems
    • Quota support

You must also install the userspace tools, emerge quota on Gentoo. Next add usrquota and/or grpquota depending on your needs to the options field of the target filesystem(s), i.e:

/dev/sdX1               /mnt/storage     ext3            defaults,nosuid,noexec,nodev,noatime,usrquota,grpquota   0 0

In this example we are also disabling binary execution and some potentially dangerous filesystem options such as SUID and device files for security purposes. You may remount the filesystem to apply the changes:

# mount -o remount /mnt/storage

Now in the root of every filesystem to have quotas create and secure the quota files:

# touch /mnt/storage/aquota.user
# touch /mnt/storage/aquota.group
# chmod 600 /mnt/storage/aquota.user
# chmod 600 /mnt/storage/aquota.group
# /usr/sbin/quotacheck -avug

Unless you will be exclusively using XFS you must add the quota init script to your runlevel. On Gentoo:

# rc-update add quota boot

Next you must decide how often the quotas are checked, in other words how often the total recorded space users and groups are consuming  is updated. You must weigh the importance of accurate reporting against the potential resource load scanning the filesystem(s) may incur. Drop this scriptlet into a /etc/cron.* directory and chmod +x it:

/usr/sbin/quotacheck -avug

Quotas can be edited by the program edquota, with the -u flag and a user's name or a -g flag and a group's name respectively. Use the -f flag and the target filesystem's mountpoint to restrict operations to one particular filesystem, otherwise edquota will default to all filesystems with quotas enabled. Edquota uses your EDITOR environment variable to load a temporary file containing a tabular representation of a user's soft and hard quotas as well as currently used space. Simply change the soft and hard quota limits and save the file, the new values will be applied immediately. This is how user test's quota looks like when edited with nano:

# edquota -f /mnt/storage -u test

Disk quotas for user test (uid 5000):
  Filesystem                   blocks       soft       hard     inodes     soft     hard
  /dev/sdX1                         0          0          0          0        0        0

It should be noted here that quotas can also be set on the number of inodes a user or group may use, effectively limiting the total number of files they can create. This is probably not practical for our needs, where space is the concern and we will mostly be hosting websites composed of relatively many, relatively small files. The blocks and inodes fields tell us how much the user was using the last time quotacheck was run while the soft and hard fields are their limits respectively. Once you have finished configuring the user or group's quotas simply save and exit the editor and the changes will be saved.

We can use repquota to see a filesystem's overall use on a per-user basis, simply specify the mountpoint of the filesystem in question:

# repquota /mnt/storage/
*** Report for user quotas on device /dev/sdX1
Block grace time: 7days; Inode grace time: 7days
                        Block limits                File limits
User            used    soft    hard  grace    used  soft  hard  grace
root      --  180240       0       0              7     0     0
test      +- 1738760     500     500  3days       5     0     0

The output is similar to edquota. Note the -- and +- column: the first character indicates whether the user's hard quota is over limit or under limit, denoted by the + and - symbols respectively, and the second character represents the soft quota. In this example we can see user test is very much over their 500 block hard limit. They will not be able to create any more files until they have cleared out enough space to put them back under the limit.

Quotas are fully enforced on an NFS server, but to share information about the quotas to NFS clients you must ensure rpc.rquotad is running. On gentoo alter /etc/conf.d/nfs to reflect:

# Optional services to include in default `/etc/init.d/nfs start`
# For NFSv4 users, you'll want to add "rpc.idmapd" here.
NFS_NEEDED_SERVICES="rpc.idmapd rpc.rquotad"

Then restart your nfs init script:

# /etc/init.d/nfs restart

On the NFS client change the share's fstab column so that the options field contains quota, for example:

nfs-server:/mnt/storage        /home   nfs             rsize=32768,wsize=8192,soft,timeo=10,rw,intr,nosuid,noexec,nodev,quota          0 0

Remount the filesystem and you should be able to interface with the quotas on the remote NFS server. Be sure to use the -r flag when modifying quotas from the client(s).

Mass Virtual Hosting Part Two: Easy SFTP Chroot Jail

Plain FTP suffers from a number of problems, foremost is transmission in cleartext. Unless SSL is used (I have come across very few occurrences of its use in the wild) usernames and passwords, as well as the files being transmitted, are sent over the wire unencrypted. This means anyone with a well-placed sniffer or man-in-the-middle setup between the client and server can intercept or mutilate the data without much skill or resource cost. FTP also suffers from NAT issues, in that some users must forward ports or use passive transfer mode - words most of the users who will be using your hosting service have probably never heard, don't want to hear and have no idea how to implement.

Enter SFTP: file transfer over Secure Shell. Not to be confused with FTPS, or "FTP Secure" (FTP with SSL), SFTP shares nothing in common with FTP other than its purpose: moving files around the network. SFTP uses a single, wholly encrypted tunnel from the client to the server to send and receive files. This avoids the problems associated with NAT and FTP's dual-connection implementation, provides a relatively secure means of authentication and prevents third-party manipulation of the data in transit. SSH also warns users when a server's RSA keys change so diligent users can identify and avoid potential man-in-the-middle attacks. SFTP is not, however, a perfect solution. OpenSSH, the implementation which we will be dealing with in this article, can be found on most Linux and BSD servers. Due to its ubiquity it is a prime target for 0-day exploits on one hand, and well hardened against known exploits on the other (you do keep your software patched and up-to-date, right?).

SSH, like any service that uses a username-password authentication scheme - including FTP, is vulnerable to brute-force or dictionary cracking attacks. This problem can be virtually eliminated by disabling user-pass authentication altogether and using on shared keys (please my article Passwordless or Single Password SSH with Key Exchange for instructions on implementing this configuration) however this is probably not an appropriate solution for your public hosting project as the process is difficult for regular users to implement, particularly if they are using a Windows client such as FileZilla. One solution which I highly recommend is fail2ban, it will read your sftpd logs and temporarily block an IP address associated with a specified number of failed attempts over a given period of time. I have provided simple instructions for implementing fail2ban for SSH in my article Stifling Brute Force Attacks with fail2ban. Because we are dealing with a situation where users are prone to forget their password you may wish to use fairly loose criteria in configuring fail2ban, enough failures should be tolerated that a forgetful user won't be quickly blocked but an automated attack should be picked up. You might also wish to block access to sftpd rather than all ports as affected users might understand sftp disappearing after several failed attempts but could think the server is down if they are unable to access their website (assuming it is hosted from the same server).

The "chroot jail" concept is as old as the hills and has provided a way for us to separate vulnerable services from the filesystem-at-large by faking them into thinking a certain directory is the absolute root (/) of the filesystem. In this article we're going to apply this concept to regular users using OpenSSH's built-in functionality available since version 4.9. Before then it was a royal pain to implement whereas most popular FTP daemons had supported the feature out-of-the-box for years, now SFTP can finally be considered a complete and suitable replacement.

One probably does not wish to restrict SSH access for ALL user accounts, since one probably needs remote administrative access to the machine. Therefore one shall create a group to which users who must be chroot jailed will be added. For the purposes of this article we shall call the group hosted but you may call it anything:

# groupadd hosted

Next add users to the group, if you want to make sure these users do not get regular shell access (the ability to log in and run commands etc) be sure to specify a dummy shell, such as /bin/false or /sbin/nologin (Gentoo):

# useradd -G hosted -s /bin/false demo-user
# usermod -G hosted -s /bin/false demo-user

Don't forget to give your test account a password if it is a new account.

# passwd demo-user

Now open your sshd config file (most users: /etc/ssh/sshd_config) and go to the very bottom. If there is a Subsystem sftp line already delete it. Add the following:

Subsystem       sftp    internal-sftp
Match Group hosted
        ChrootDirectory %h
        ForceCommand internal-sftp
	AllowTcpForwarding no

The Match Group directive tells sftpd to use the proceeding settings for any user in the group hosted. Now you must change the owner (and optionally group) of the user's home directory to root:

# chown root: /home/demo-user

Due to these permissions the user will not be able to create new files at the top level of their directory tree, which to you looks like /home/demo-user and to them /. That's fine because we're going to give them a directory for the site they want to host with appropriate ownership, then they can do whatever they want in that. I typically set users up thus:

# mkdir ~demo-user/demo-site.com
# mkdir ~demo-user/demo-site.com/htdocs
# mkdir ~demo-user/demo-site.com/log
# mkdir ~demo-user/demo-site.com/cgi-bin
# chown demo-user: ~demo-user/demo-site.com/ -R

Restart your sshd (/etc/init.d/ssh(d) restart) and try logging in as your jailed user via sftp. If it works, congratulations. If you chose to restrict regular SSH access you may need to include /bin/false (or /sbin/nologin etc) to your /etc/shells valid shells list or the user may not be able to log in at all. Try logging in via SSH to ensure access has been blocked.

Mass Virtual Hosting Part One: Database-Backed User Accounts and Authentication

In situations where the creation of UNIX system accounts (for file system permissions and s/ftp authentication, etc.) should be automated or managed remotely it is possible to use MySQL to store user and group information, thanks to libnss-mysql. There is another project named NSS MySQL which provides the same functionality but for the purposes of this article we will only deal with the former, as it has been more recently updated and is the only one included in Gentoo's Portage package management system.

NSS stands for Name Service Switch, it provides a convenient way to replace or supplement the traditional /etc/passwd /etc/shadow /etc/groups system with anything from LDAP to MySQL tables. It sits at the layer below PAM (which can only handle authentication) and this allows it to transparently handle user and group lookups and modifications from unmodified system tools. For example, using ls to show a directory listing would pull the correct user and group names from the database and using passwd to change the password of an account in the database would interface with the database and not /etc/shadow.

Once you have installed libnss-mysql (emerge libnss-mysql on Gentoo - add it to your package.keywords to grab the last, CVS-based and bug-fixed release) create a database somewhere accessible to both the intended management interface and the system where account information is to be supplemented. Sharing this database across multiple libnss-mysql enabled hosts allows one to maintain a consistent authentication system across them.

# The tables ...
  name varchar(16) NOT NULL default '',
  password varchar(34) NOT NULL default 'x',
  gid int(11) NOT NULL auto_increment,
  PRIMARY KEY  (gid)

CREATE TABLE grouplist (
  rowid int(11) NOT NULL auto_increment,
  gid int(11) NOT NULL default '0',
  username char(16) NOT NULL default '',
  PRIMARY KEY  (rowid)

  username varchar(16) NOT NULL default '',
  uid int(11) NOT NULL auto_increment,
  gid int(11) NOT NULL default '5000',
  gecos varchar(128) NOT NULL default '',
  homedir varchar(255) NOT NULL default '',
  shell varchar(64) NOT NULL default '/bin/bash',
  password varchar(34) NOT NULL default 'x',
  lstchg bigint(20) NOT NULL default '1',
  min bigint(20) NOT NULL default '0',
  max bigint(20) NOT NULL default '99999',
  warn bigint(20) NOT NULL default '0',
  inact bigint(20) NOT NULL default '0',
  expire bigint(20) NOT NULL default '-1',
  flag bigint(20) unsigned NOT NULL default '0',
  PRIMARY KEY  (uid),
  UNIQUE KEY username (username),
  KEY uid (uid)

# The permissions ...
GRANT USAGE ON *.* TO `nss-root`@`localhost` IDENTIFIED BY 'rootpass';
GRANT USAGE ON *.* TO `nss-user`@`localhost` IDENTIFIED BY 'userpass';

GRANT Select (`username`, `uid`, `gid`, `gecos`, `homedir`, `shell`, `password`,
              `lstchg`, `min`, `max`, `warn`, `inact`, `expire`, `flag`)
             ON `auth`.`users`
             TO 'nss-root'@'localhost';
GRANT Select (`name`, `password`, `gid`)
             ON `auth`.`groups`
             TO 'nss-root'@'localhost';

GRANT Select (`username`, `uid`, `gid`, `gecos`, `homedir`, `shell`)
             ON `auth`.`users`
             TO 'nss-user'@'localhost';
GRANT Select (`name`, `password`, `gid`)
             ON `auth`.`groups`
             TO 'nss-user'@'localhost';

GRANT Select (`username`, `gid`)
             ON `auth`.`grouplist`
             TO 'nss-user'@'localhost';
GRANT Select (`username`, `gid`)
             ON `auth`.`grouplist`
             TO 'nss-root'@'localhost';

Modify the permissions section to reflect your needs. libnss-mysql uses a so-called 'user' account for routine operations and a 'root' account for privileged operations, designated by nss-user and nss-root respectively above. Next we must configure the library, edit /etc/libnss-mysql.cfg and change only the authentication information at the bottom of the file:

host        localhost
database    auth
username    nss-user
password    userpass
#socket      /var/lib/mysql/mysql.sock
#port        3306

The SELECT queries at the top of the file can be modified later to integrate into an existing user database of your own design, it is important that only the columns (under any name) specified in the original queries are returned and in that order. Next alter /etc/libnss-mysql-root.cfg to reflect the libnss-mysql 'root' user's MySQL credentials (for obvious reasons these files should have restrictive permissions):

username    nss-root
password    rootpass

libnss-mysql makes use of persistent DB connections, which can be problematic in multithreaded environments as a new connection is established for each thread. For that reason it is recommended to pass the connections through something like mysql-proxy or nsscache/nscd. The problem can also be mitigated by reducing the timeout for persistent connections (default 8 hours) on the MySQL server to something like 1 minute, however this may not be a great idea if the MySQL server is used for other purposes (web hosting etc). Now that we have configured libnss-mysql we must teach NSS to use it. Alter these lines in /etc/nsswitch.conf to reflect:

passwd: files mysql
shadow: files mysql
group:  files mysql

files means first read the traditional /etc/passwd shadow and group files, failing lookup use libnss-mysql (mysql). This lets regular system accounts which we have already created remain valid, important because we don't want to have to import root, your regular user account(s) and all of the daemon accounts. More importantly still if connectivity to the database is lost it is still possible to log in to perform administrative duties. You will note that we created the groups and user tables with an AUTO_INCREMENT set to 5000. Most systems begin creating local user accounts at UID 1000, this amount of space between file-based accounts and database-backed accounts should be enough to keep accounts from overlapping, however your situation may require adjustment. Let's create a test account and see how we did:

INSERT INTO users (username,gecos,homedir,password)
    VALUES ('test', 'Test Account', '/home/test', ENCRYPT('test'));
INSERT INTO groups (name)
    VALUES ('test');
INSERT INTO grouplist (gid,username)
    VALUES (5000,'test');

Here we have created a user named test, with the password 'test', in the group test. The gid value in the last INSERT query should be changed to reflect the UID of the new users in subsequent runs. Create /home/test and chown test:test /home/test. When you ls -lsah /home do you see test and test under user and group next to the test directory? If so congratulations, you have successfully configured libnss-mysql. You may wish to further test your configuration by logging in via ssh/sftp.

It should be easy to see how one can manipulate these queries to add, delete and manage system accounts directly from inside your web-based management interface or other applications, the potential here is limitless.

I encountered a problem setting up a new mysql (server) installation on a host that was configured to use libnss-mysql. The message goes something like:

#  /usr/bin/mysql_install_db
Installing MySQL system tables...    
100706  9:09:15 - mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.                                                           

It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 76800 K
bytes of memory                                                                  
Hope that's ok; if not, decrease some variables in the equation.                 

Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went   
terribly wrong...                                                      
Cannot determine thread, fp=0x841099c, backtrace may not be correct.   
Bogus stack limit or frame pointer, fp=0x841099c, stack_bottom=0xbffe0000, thread_stack=196608, aborting backtrace.
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains                                        
information that should help you find out what is causing the crash.                                               

This crash occured while the server was calling initgroups(). This is
often due to the use of a mysqld that is statically linked against glibc
and configured to use LDAP in /etc/nsswitch.conf. You will need to either
upgrade to a version of glibc that does not have this problem (2.3.4 or  
later when used with nscd), disable LDAP in your nsswitch.conf, or use a
mysqld that is not statically linked.                                    
Installation of system tables failed!                                    

Examine the logs in /var/lib/mysql for more information.
You can try to start the mysqld daemon with:            
/usr/sbin/mysqld --skip-grant &                         
and use the command line tool                           
/usr/bin/mysql to connect to the mysql                  
database and look at the grant tables:                  

shell> /usr/bin/mysql -u root mysql
mysql> show tables                 

Try 'mysqld --help' if you have problems with paths. Using --log
gives you a log in /var/lib/mysql that may be helpful.          

The latest information about MySQL is available on the web at
Please consult the MySQL manual section: 'Problems running mysql_install_db',
and the manual section that describes problems on your OS.                   
Another information source is the MySQL email archive.                       
Please check all of the above before mailing us!                             
And if you do mail us, you MUST use the /usr/bin/mysqlbug script!

Of course, I was running glibc 2.11.2 and have nothing in the way of LDAP configured. Unfortunately there is no workaround, you must run the mysql daemon on  a separate server that does not use libnss-mysql.