diff --git a/Containerfile.5.md b/Containerfile.5.md
index 90226bc..12245e5 100644
--- a/Containerfile.5.md
+++ b/Containerfile.5.md
@@ -154,6 +154,47 @@ Current supported mount TYPES are bind, cache, secret and tmpfs.
 
               · rw, read-write: allows writes on the mount.
 
+**RUN --network**
+
+`RUN --network` allows control over which networking environment the command
+is run in.
+
+Syntax: `--network=<TYPE>`
+
+**Network types**
+
+| Type                                         | Description                            |
+|----------------------------------------------|----------------------------------------|
+| [`default`](#run---networkdefault) (default) | Run in the default network.            |
+| [`none`](#run---networknone)                 | Run with no network access.            |
+| [`host`](#run---networkhost)                 | Run in the host's network environment. |
+
+##### RUN --network=default
+
+Equivalent to not supplying a flag at all, the command is run in the default
+network for the build.
+
+##### RUN --network=none
+
+The command is run with no network access (`lo` is still available, but is
+isolated to this process).
+
+##### Example: isolating external effects
+
+```dockerfile
+FROM python:3.6
+ADD mypackage.tgz wheels/
+RUN --network=none pip install --find-links wheels mypackage
+```
+
+`pip` will only be able to install the packages provided in the tarfile, which
+can be controlled by an earlier build stage.
+
+##### RUN --network=host
+
+The command is run in the host's network environment (similar to
+`buildah build --network=host`, but on a per-instruction basis)
+
 
 **RUN Secrets**
 
diff --git a/containers-common.spec b/containers-common.spec
index d78513b..3748406 100644
--- a/containers-common.spec
+++ b/containers-common.spec
@@ -12,7 +12,7 @@
 Epoch: 2
 Name: containers-common
 Version: 1
-Release: 50%{?dist}
+Release: 51%{?dist}
 Summary: Common configuration and documentation for containers
 License: ASL 2.0
 # arch limitation because of go-md2man (missing on i686)
@@ -175,6 +175,10 @@ EOF
 %{_datadir}/rhel/secrets/*
 
 %changelog
+* Tue Mar 21 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-51
+- be sure default_capabilities contain SYS_CHROOT
+- Resolves: #2166195
+
 * Thu Mar 09 2023 Jindrich Novy <jnovy@redhat.com> - 2:1-50
 - improve shortnames generation
 - Related: #2176055
diff --git a/containers.conf b/containers.conf
index e47e49a..0e01d34 100644
--- a/containers.conf
+++ b/containers.conf
@@ -53,6 +53,7 @@
 # the default capabilities defined in the container engine will be added.
 #
 default_capabilities = [
+  "SYS_CHROOT",
   "NET_RAW",
   "CHOWN",
   "DAC_OVERRIDE",
diff --git a/update.sh b/update.sh
index 5ff8d2e..5759357 100755
--- a/update.sh
+++ b/update.sh
@@ -44,6 +44,11 @@ then
   sed -i '/^default_capabilities/a \
   "NET_RAW",' containers.conf
 fi
+if ! grep \"SYS_CHROOT\" containers.conf > /dev/null
+then
+  sed -i '/^default_capabilities/a \
+  "SYS_CHROOT",' containers.conf
+fi
 else
 ensure registries.conf unqualified-search-registries [\"registry.access.redhat.com\",\ \"registry.redhat.io\",\ \"docker.io\"]
 ensure registries.conf short-name-mode               \"enforcing\"