Document tmpcopyup default behavior for tmpfs mounts

Related to: https://github.com/containers/podman/issues/28684

Signed-off-by: Jan Rodák <hony.com@seznam.cz>

docs/source/markdown/options/mount.md

@@ -116,10 +116,14 @@ Options specific to type=**tmpfs** and **ramfs**:
 
 - *tmpcopyup*: Enable copyup from the image directory at the same location to the tmpfs/ramfs. Used by default.
 
+When the tmpfs destination is inside a volume or bind mount, files from the parent mount are also copied into the tmpfs, so the parent content remains visible. Use **notmpcopyup** to mount an empty tmpfs that shadows the parent mount's subtree.
+
 - *noatime*: Disable updating file access times when the file is read.
 
 - *notmpcopyup*: Disable copying files from the image to the tmpfs/ramfs.
 
+Use this option when mounting a tmpfs inside a volume or bind mount to ensure the tmpfs properly shadows the parent mount's subtree.
+
 - *U*, *chown*: *true* or *false* (default if unspecified: *false*). Set the uid and gid options for the tmpfs filesystem based on the UID and GID of the container. This is **not** recursive.
 
 Options specific to type=**devpts**:

docs/source/markdown/options/tmpfs.md

@@ -20,3 +20,14 @@ This command mounts a **tmpfs** at _/tmp_ within the container. The supported mo
 options are the same as the Linux default mount flags. If no options are specified,
 the system uses the following options:
 **rw,noexec,nosuid,nodev**.
+
+By default, Podman enables **tmpcopyup** on tmpfs mounts, which copies the contents
+of the underlying image directory into the tmpfs before mounting it. This also
+applies when the tmpfs destination is inside a volume or bind mount: files from
+the parent mount are copied into the tmpfs, so the parent content remains visible.
+To mount an empty tmpfs that shadows a parent mount's subtree, use the
+**notmpcopyup** option:
+
+```
+$ podman <<subcommand>> --volume myvolume:/data --tmpfs /data/sub:notmpcopyup my_image
+```