I also ran into it.

Just a guess: When using the mount namespace from a target process (either with "-m" or with "--all" option), it does not have the mount-points from the outside linux system. That means, it only can use processes that are viewable within the target mount namespace.

When using the outside mount namespace, I can run a command like

nsenter -p --target=$(docker inspect -f '{{.State.Pid}}' <container-id>) /bin/bash

For explanation: the docker container I used for this test, is based on a busybox and only has /bin/sh (not /bin/bash) within its mount namespace.

Regards, cwo