WL#7787: Extend Secure Deployment WLs to all other unixes

Affects: Server-5.7   —   Status: Complete

Following secure deployment WLs were pushed in the MySQL 5.7.5 DMR.
WL#6962 : Deployment: random passwords generated for unattended installs
WL#6973 : Offer deployment without test db, test scripts or demofiles
WL#6977 : Remove all anonymous accounts from all default deployments

For this WLs, focus was RPMs for OEL.

This WL is to extend similar work on all other unixes.
FR1 : For all unixes packages which do not prompt user for passwords, random
password should be generated by default.

FR2 : For all supported unixes platforms, a package without Test/Demo
database(s), Test/Demo libraries, Test/Demo scripts or binaries should be provided.

FR3 : For all supported unix platforms, anonymous user should not be created by
At present, repo RPMs for OEL for MySQL 5.7 satisfy all of the requirements
mentioned in Functional Requirement section. In order to extend WL#6962,
WL#6973 and WL#6977, packages for various platforms for MySQL 5.7 will
support following:

Note : It is assumed that for every OS, all supported processor architectures
will be covered.

I-1 : Packages will have structure similar to repo RPMs. E.g. they will be split
  into various sub-packages (viz. server, client, test, development, ... etc).
  - At present, packages for following OSes do not have desired structure:
   - Generic .tar.gz format for linux
   - SLES (Recently implemented as part of REPO work)
   - Solaris
   - OS X
   - FreeBSD
  - Packages for above mentioned OSes pack all binaries/scripts/libraries/files in a
    single package.
  - For debian, repo project has helped creating a structure similar to RPMs.
    However, if required, these packages will be updated as mentioned in WL#6973
  - It would be good to make repo RPMs as reference point for splitting files into
    various sub packages. MySQL source contains this information in various scripts
    residing inside packaging and support-files directories.

I-2.1 : By default, random password must be generated for root user for all
packages that don't provide a better alternative (currently only the .deb
packages can read the password from the user). The mysql_install_db was modified
to generate random passwords by default and same is used for repo RPMs. All
other packages which use --skip-random-passwords will stop using it so that
random password generation happens by default, unless they can get the password
from user directly.

I-2.2 : For repo RPMs, mysql_secure_installation is run by default. This will be
extended to all OSes mentioned in I-1.

I-3 : As a part of WL#6977, mysql_install_db was modified to make sure that
anonymous user account are not created. If any of the platforms have separate
scripts/steps to generate such users after installation, such scripts/steps will
be removed.