diff --git a/nova/conf/libvirt.py b/nova/conf/libvirt.py
index d23bcd6427a3..9b6d361414a7 100644
--- a/nova/conf/libvirt.py
+++ b/nova/conf/libvirt.py
@@ -192,13 +192,12 @@ Related options:
                default=-2,
                min=-2,
                help="""
-Determines the way how the file system is chosen to inject data into it.
+Determines how the file system is chosen to inject data into it.
 
-*libguestfs* will be used a first solution to inject data. If that's not
-available on the host, the image will be locally mounted on the host as a
-fallback solution. If libguestfs is not able to determine the root partition
-(because there are more or less than one root partition) or cannot mount the
-file system it will result in an error and the instance won't be boot.
+*libguestfs* is used to inject data. If libguestfs is not able to determine
+the root partition (because there are more or less than one root partition) or
+cannot mount the file system it will result in an error and the instance won't
+boot.
 
 Possible values:
 
@@ -215,8 +214,8 @@ Related options:
   on value greater or equal to -1 for ``inject_partition``.
 * ``inject_password``: If this option allows the injection of an admin password
   it depends on value greater or equal to -1 for ``inject_partition``.
-* ``guestfs`` You can enable the debug log level of libguestfs with this
-  config option. A more verbose output will help in debugging issues.
+* ``[guestfs]/debug`` You can enable the debug log level of libguestfs with
+  this config option. A more verbose output will help in debugging issues.
 * ``virt_type``: If you use ``lxc`` as virt_type it will be treated as a
   single partition image
 """),
diff --git a/nova/tests/unit/virt/disk/test_api.py b/nova/tests/unit/virt/disk/test_api.py
index 1d82ef91daf6..5b90fd186e46 100644
--- a/nova/tests/unit/virt/disk/test_api.py
+++ b/nova/tests/unit/virt/disk/test_api.py
@@ -22,7 +22,6 @@ from oslo_utils import units
 from nova import test
 from nova.virt.disk import api
 from nova.virt.disk.mount import api as mount
-from nova.virt.disk.vfs import localfs
 from nova.virt.image import model as imgmodel
 
 
@@ -41,14 +40,11 @@ class FakeMount(object):
 
 
 class APITestCase(test.NoDBTestCase):
-    @mock.patch.object(localfs.VFSLocalFS, 'get_image_fs', autospec=True,
-                       return_value='')
-    def test_can_resize_need_fs_type_specified(self, mock_image_fs):
+    def test_can_resize_need_fs_type_specified(self):
         imgfile = tempfile.NamedTemporaryFile()
         self.addCleanup(imgfile.close)
         image = imgmodel.LocalFileImage(imgfile.name, imgmodel.FORMAT_QCOW2)
         self.assertFalse(api.is_image_extendable(image))
-        self.assertTrue(mock_image_fs.called)
 
     @mock.patch('oslo_concurrency.processutils.execute', autospec=True)
     def test_is_image_extendable_raw(self, mock_exec):
diff --git a/nova/virt/disk/vfs/api.py b/nova/virt/disk/vfs/api.py
index f98404ad1d17..b9b6cb232a62 100644
--- a/nova/virt/disk/vfs/api.py
+++ b/nova/virt/disk/vfs/api.py
@@ -15,8 +15,6 @@
 from oslo_log import log as logging
 from oslo_utils import importutils
 
-from nova import exception
-
 LOG = logging.getLogger(__name__)
 
 
@@ -49,31 +47,16 @@ class VFS(object):
                   "partition=%(partition)s",
                   {'image': image, 'partition': partition})
 
-        vfs = None
-        try:
-            LOG.debug("Using primary VFSGuestFS")
-            vfs = importutils.import_object(
-                "nova.virt.disk.vfs.guestfs.VFSGuestFS",
-                image, partition)
-            if not VFS.guestfs_ready:
-                # Inspect for capabilities and keep
-                # track of the result only if succeeded.
-                vfs.inspect_capabilities()
-                VFS.guestfs_ready = True
-            return vfs
-        except exception.NovaException:
-            if vfs is not None:
-                # We are able to load libguestfs but
-                # something wrong happens when trying to
-                # check for capabilities.
-                raise
-            else:
-                LOG.info("Unable to import guestfs, "
-                         "falling back to VFSLocalFS")
-
-        return importutils.import_object(
-            "nova.virt.disk.vfs.localfs.VFSLocalFS",
+        LOG.debug("Using primary VFSGuestFS")
+        vfs = importutils.import_object(
+            "nova.virt.disk.vfs.guestfs.VFSGuestFS",
             image, partition)
+        if not VFS.guestfs_ready:
+            # Inspect for capabilities and keep
+            # track of the result only if succeeded.
+            vfs.inspect_capabilities()
+            VFS.guestfs_ready = True
+        return vfs
 
     def __init__(self, image, partition):
         """Create a new local VFS instance
diff --git a/releasenotes/notes/bug-1552042-remove-non-libguestfs-injection-fallback-2bd22422df05d99d.yaml b/releasenotes/notes/bug-1552042-remove-non-libguestfs-injection-fallback-2bd22422df05d99d.yaml
new file mode 100644
index 000000000000..b38c4233fef4
--- /dev/null
+++ b/releasenotes/notes/bug-1552042-remove-non-libguestfs-injection-fallback-2bd22422df05d99d.yaml
@@ -0,0 +1,41 @@
+---
+upgrade:
+  - |
+    Be sure to read the **Security** release notes about upgrade impacts for
+    resolving bug 1552042.
+security:
+  - |
+    When using the *libvirt* compute driver, the **libguestfs** package is now
+    **required** for file injection, if you are supporting that in your cloud
+    (see the ``[libvirt]/inject_partition`` config option).
+
+    Previously, if the libguestfs package was not installed, the nova-compute
+    service would fallback to mounting to the local compute host file system
+    which is a security exposure. This has been discussed for years in several
+    forums:
+
+    http://lists.openstack.org/pipermail/openstack-dev/2014-September/046764.html
+
+    http://lists.openstack.org/pipermail/openstack-dev/2016-July/098703.html
+
+    http://lists.openstack.org/pipermail/openstack-dev/2016-November/107233.html
+
+    Furthermore, the `2.57 compute REST API microversion`_ deprecated the use
+    of personality files for file injection. For more history on deprecating
+    file injection, see the `spec`__.
+
+    There are some known caveats with this:
+
+    * If running on s390x, you will need libguestfs >= 1.37.14.
+    * At this time, FreeBSD does not have a libguestfs package, therefore
+      file injection cannot be supported with the libvirt driver on a FreeBSD
+      compute host.
+    * ``[libvirt]/virt_type`` config option values other than ``kvm`` or
+      ``qemu`` may be impacted, like ``lxc``, where libguestfs was not
+      previously required.
+
+    For more background on this change, see
+    https://bugs.launchpad.net/nova/+bug/1552042.
+
+    .. _2.57 compute REST API microversion: https://docs.openstack.org/nova/latest/reference/api-microversion-history.html#id51
+    .. __: https://specs.openstack.org/openstack/nova-specs/specs/queens/implemented/deprecate-file-injection.html