Comment 2 for bug 1826368

I can be worked around by setting:
juju config neutron-gateway sysctl=''

However, I think host.is_container() should validate if such default is possible. FWIW, I have tried to enable security.privileged and security.nesting on the container running neutron-gateway, and it didn't work (so it seems the unit should get blocked if sysctl is not empty).