It's not a bad design, it's the *right* design.  Being able to rescue a guest that can't boot without resorting to a rescue cd boot of the guest vm is a worthwhile goal and this is part of that.  The two alternative designs (guest code in guest vm, guest code in host vm) were both shown to be inferior designs (the first because the guest vm might not be bootable and requires booting up the guest vm which is highly undesirable if the user is simply attempting an offline modification of the vm, the second because that's a huge gaping security cluster fuck).

It's just as necessary as any of the other rescue tools we put on rescue CDs.

