diff --git a/.zuul.d/project.yaml b/.zuul.d/project.yaml
index 274cca1d..c1f4c153 100644
--- a/.zuul.d/project.yaml
+++ b/.zuul.d/project.yaml
@@ -15,8 +15,16 @@
               nodes:
                 - name: ubuntu-bionic
                   label: ubuntu-bionic
-        - tox-py38
-        - tox-py39
+        - tox-py38:
+            nodeset:
+              nodes:
+                - name: ubuntu-focal
+                  label: ubuntu-focal
+        - tox-py39:
+            nodeset:
+              nodes:
+                - name: ubuntu-focal
+                  label: ubuntu-focal
         - tox-py310:
             nodeset:
               nodes:
@@ -61,8 +69,16 @@
               nodes:
                 - name: ubuntu-bionic
                   label: ubuntu-bionic
-        - tox-py38
-        - tox-py39
+        - tox-py38:
+            nodeset:
+              nodes:
+                - name: ubuntu-focal
+                  label: ubuntu-focal
+        - tox-py39:
+            nodeset:
+              nodes:
+                - name: ubuntu-focal
+                  label: ubuntu-focal
         - tox-py310:
             nodeset:
               nodes:
diff --git a/diskimage_builder/elements/containerfile/root.d/08-containerfile b/diskimage_builder/elements/containerfile/root.d/08-containerfile
index 7a852ad9..d8ac8287 100755
--- a/diskimage_builder/elements/containerfile/root.d/08-containerfile
+++ b/diskimage_builder/elements/containerfile/root.d/08-containerfile
@@ -28,8 +28,13 @@ if [[ "${DIB_CONTAINERFILE_PODMAN_ROOT:-0}" != '0' ]]; then
     DIB_CONTAINERFILE_RUNTIME_ROOT=1
 fi
 
+# NOTE(ianw) 2022-12-15 : this used to be left blank, but we've found
+# with current podman this is the only reliable way to get networking
+# in the container we're building (needed for yum update, package
+# install, etc.).  It's less secure, but we're already running in a
+# priviledged container ...
 if [[ -z "${DIB_CONTAINERFILE_NETWORK_DRIVER:-}"  ]]; then
-    DIB_CONTAINERFILE_RUNTIME_NETWORK=""
+    DIB_CONTAINERFILE_RUNTIME_NETWORK="--network host"
 else
     DIB_CONTAINERFILE_RUNTIME_NETWORK="--network ${DIB_CONTAINERFILE_NETWORK_DRIVER:-}"
 fi
diff --git a/releasenotes/notes/containerfile-host-networking-0691f3be5c6b11b6.yaml b/releasenotes/notes/containerfile-host-networking-0691f3be5c6b11b6.yaml
new file mode 100644
index 00000000..876e0bd2
--- /dev/null
+++ b/releasenotes/notes/containerfile-host-networking-0691f3be5c6b11b6.yaml
@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    The default networking in the ``containerfile`` element is
+    switched to ``host`` as we have found that more reliable in
+    generating the initial chroot images.