can't create an anonymous volume with nocopy option

[dustymabe]

Issue Description

I'm running a podman --rootfs container with a rootfs path that is read-only and I want to be able to make some of the paths inside the container read/write with volumes. The problem is that --volume=/path to give me an anonymous volume that will get cleaned up when the container gets cleaned up isn't working because the copy up to initially populate the volume is failing:

[root@ibm-p8-kvm-03-guest-02 ~]# podman run -it --rm --privileged --workdir=/root/ --volume=/root/ --rootfs /var/cosa bash
Error: reading contents of source directory for copy up into volume e3fdf29705271f0577645777711e2517feec51d5c99228c106ef9b2fe071e7ee: open /var/cosa/root: permission denied

I'm not sure why it's failing, but what's more important here is I actually don't want the volume to be pre-populated with anything. So I try with :nocopy but that clearly won't work:

[root@ibm-p8-kvm-03-guest-02 ~]# podman run -it --rm --privileged --workdir=/root/ --volume=/root/:nocopy --rootfs /var/cosa bash
Error: invalid container path "nocopy", must be an absolute path

What does work is if I give the volume a name:

[root@ibm-p8-kvm-03-guest-02 ~]# podman run -it --rm --privileged --workdir=/root/ --volume=volroot:/root/:nocopy --rootfs /var/cosa bash
bash-5.2#bash-5.2# exit
exit
[root@ibm-p8-kvm-03-guest-02 ~]# podman volume list 
DRIVER      VOLUME NAME
local       volroot

but clearly as shown above, now I'm leaking volumes when I'd prefer not to.

Is there any way to pass options when you don't specify a host path? I guess if the answer is currently "no" one future solution could be to come up with a special name the user can use to request an anonymous volume explicitly.

Steps to reproduce the issue

Steps to reproduce the issue

1. podman run -it --rm --privileged --workdir=/root/ --volume=/root/:nocopy --rootfs /var/cosa bash

Describe the results you received

Error: invalid container path "nocopy", must be an absolute path

Describe the results you expected

Anonymous volume with :nocopy option enforced.

podman info output

<details>


 podman info 
host:
  arch: amd64
  buildahVersion: 1.38.1
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-4.fc42.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 88.94
    systemPercent: 8.24
    userPercent: 2.82
  cpus: 1
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: coreos
    version: "42"
  eventLogger: journald
  freeLocks: 2046
  hostname: ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.13.0-0.rc7.20250114gitc45323b7560e.56.fc42.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 689229824
  memTotal: 2052243456
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-2.fc42.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-2.fc42.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: crun-1.19.1-4.fc42.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.19.1
      commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/sbin/pasta
    package: passt-0^20250121.g4f2c8e7-2.fc42.x86_64
    version: |
      pasta 0^20250121.g4f2c8e7-2.fc42.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/sbin/slirp4netns
    package: slirp4netns-1.3.1-2.fc42.x86_64
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.5
  swapFree: 0
  swapTotal: 0
  uptime: 0h 6m 27.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.imagestore: /usr/lib/containers/storage
    overlay.mountopt: nodev,metacopy=on
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 10464022528
  graphRootUsed: 271036416
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.3.2
  Built: 1737504000
  BuiltTime: Wed Jan 22 00:00:00 2025
  GitCommit: ""
  GoVersion: go1.24rc2
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.2



</details>

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[Luap99]

I find the --volume syntax quite overloaded, for the parser to makes sense we have three main states /ctr-path -> anonymous volume, pathOrVolume:/ctr-path -> regular bind mount or volume mount, pathOrVolume:/ctr-path:options -> the same but with extra options.

As such it must parse you example as source:dest, sure we could come up with ways to allow that, i.e. :/ctr-path:options where the source would be left empty to signal anonymous volume. However I would dislike that very much because it is easy to cause bugs if we allow an empty part there, consider something like $SOURCE:/dest:opts where the var is empty.
Given the source a special name as you suggested is another way but that also leaves the question of what name and given volume names can be anything today we cannot break backwards compatibility but introducing a special name all of the sudden.

I think using --mount is much better suited to handle these, the argument parser there is IMO cleaner. An anonymous volume is defined as --mount type=volume,dst=/etc. And then options are just comma separated after it. Now nocopy isn't parsed either today so it does not solve your issue today either but I think adding it there is better