diff --git a/tests/test_db.py b/tests/test_db.py
index c1e0c4edc4ad..8379dd3480d1 100644
--- a/tests/test_db.py
+++ b/tests/test_db.py
@@ -1,7 +1,7 @@
 from fixtures import *  # noqa: F401,F403
 from fixtures import TEST_NETWORK
 from pyln.client import RpcError
-from utils import wait_for, sync_blockheight, COMPAT
+from utils import wait_for, sync_blockheight, COMPAT, VALGRIND, DEVELOPER
 import os
 import pytest
 import time
@@ -140,6 +140,7 @@ def test_scid_upgrade(node_factory, bitcoind):
     assert l1.db_query('SELECT failchannel from payments;') == [{'failchannel': '103x1x1'}]
 
 
+@unittest.skipIf(VALGRIND and not DEVELOPER, "Without developer valgrind will complain about debug symbols missing")
 def test_optimistic_locking(node_factory, bitcoind):
     """Have a node run against a DB, then change it under its feet, crashing it.
 
diff --git a/tests/test_gossip.py b/tests/test_gossip.py
index e73e4bd00a03..71e3aab6c6b4 100644
--- a/tests/test_gossip.py
+++ b/tests/test_gossip.py
@@ -1,4 +1,5 @@
 from collections import Counter
+from ephemeral_port_reserve import reserve
 from fixtures import *  # noqa: F401,F403
 from fixtures import TEST_NETWORK
 from lightning import RpcError
@@ -1600,9 +1601,10 @@ def test_statictor_onions(node_factory):
     """
     # please define your values
     torip = '127.0.0.1'
-    toripps = '127.0.0.1:9051'
+    torips = '127.0.0.1:9051'
     torport = 9050
     torserviceport = 9051
+    portA, portB = reserve(), reserve()
 
     if not check_socket(format(torip), torserviceport):
         return
@@ -1610,11 +1612,17 @@ def test_statictor_onions(node_factory):
     if not check_socket(format(torip), torport):
         return
 
-    l1 = node_factory.get_node(may_fail=True, options={'addr': ['statictor:'.format(toripps)]})
-    l2 = node_factory.get_node(may_fail=True, options={'addr': ['statictor:'.format(toripps, '/torblob=11234567890123456789012345678901')]})
+    l1 = node_factory.get_node(may_fail=True, options={
+        'bind-addr': '127.0.0.1:{}'.format(portA),
+        'addr': ['statictor:{}'.format(torips)]
+    })
+    l2 = node_factory.get_node(may_fail=True, options={
+        'bind-addr': '127.0.0.1:{}'.format(portB),
+        'addr': ['statictor:{}/torblob=11234567890123456789012345678901'.format(torips)]
+    })
 
-    assert l1.daemon.is_in_log('127.0.0.1:'.format(l1.port))
-    assert l2.daemon.is_in_log('x2y4zvh4fn5q3eouuh7nxnc7zeawrqoutljrup2xjtiyxgx3emgkemad.onion:9735,127.0.0.1:'.format(l2.port))
+    assert l1.daemon.is_in_log('127.0.0.1:{}'.format(l1.port))
+    assert l2.daemon.is_in_log('x2y4zvh4fn5q3eouuh7nxnc7zeawrqoutljrup2xjtiyxgx3emgkemad.onion:9735,127.0.0.1:{}'.format(l2.port))
 
 
 @unittest.skipIf(not DEVELOPER, "needs a running Tor service instance at port 9151 or 9051")
@@ -1626,18 +1634,20 @@ def test_torport_onions(node_factory):
     """
     # please define your values
     torip = '127.0.0.1'
-    toripps = '127.0.0.1:9051'
+    torips = '127.0.0.1:9051'
     torport = 9050
     torserviceport = 9051
 
-    if not check_socket(format(torip), torserviceport):
+    if not check_socket(torip, torserviceport):
         return
 
-    if not check_socket(format(torip), torport):
+    if not check_socket(torip, torport):
         return
 
-    l1 = node_factory.get_node(may_fail=True, options={'addr': ['statictor:'.format(toripps, '/torport=45321')]})
-    l2 = node_factory.get_node(may_fail=True, options={'addr': ['statictor:'.format(toripps, '/torport=45321:torblob=11234567890123456789012345678901')]})
+    portA, portB = reserve(), reserve()
+
+    l1 = node_factory.get_node(may_fail=True, options={'bind-addr': '127.0.0.1:{}'.format(portA), 'addr': ['statictor:{}/torport=45321'.format(torips)]})
+    l2 = node_factory.get_node(may_fail=True, options={'bind-addr': '127.0.0.1:{}'.format(portB), 'addr': ['statictor:{}/torport=45321/torblob=11234567890123456789012345678901'.format(torips)]})
 
-    assert l1.daemon.is_in_log('45321,127.0.0.1:'.format(l1.port))
-    assert l2.daemon.is_in_log('x2y4zvh4fn5q3eouuh7nxnc7zeawrqoutljrup2xjtiyxgx3emgkemad.onion:45321,127.0.0.1:'.format(l2.port))
+    assert l1.daemon.is_in_log('45321,127.0.0.1:{}'.format(l1.port))
+    assert l2.daemon.is_in_log('x2y4zvh4fn5q3eouuh7nxnc7zeawrqoutljrup2xjtiyxgx3emgkemad.onion:45321,127.0.0.1:{}'.format(l2.port))
diff --git a/tools/hsmtool.c b/tools/hsmtool.c
index f91686a5e344..79e5394f574e 100644
--- a/tools/hsmtool.c
+++ b/tools/hsmtool.c
@@ -152,11 +152,15 @@ static int decrypt_hsm(const char *hsm_secret_path, const char *passwd)
 	int fd;
 	struct stat st;
 	struct secret hsm_secret;
+	const char *dir, *backup;
 
 	if (sodium_init() == -1)
 		err(ERROR_LIBSODIUM,
 		    "Could not initialize libsodium. Not enough entropy ?");
 
+	dir = path_dirname(NULL, hsm_secret_path);
+	backup = path_join(dir, dir, "hsm_secret.backup");
+
 	if (stat(hsm_secret_path, &st) != 0)
 		err(ERROR_HSM_FILE, "Could not stat hsm_secret");
 	if (st.st_size <= 32)
@@ -164,7 +168,7 @@ static int decrypt_hsm(const char *hsm_secret_path, const char *passwd)
 	get_encrypted_hsm_secret(&hsm_secret, hsm_secret_path, passwd);
 
 	/* Create a backup file, "just in case". */
-	rename(hsm_secret_path, "hsm_secret.backup");
+	rename(hsm_secret_path, backup);
 	fd = open(hsm_secret_path, O_CREAT|O_EXCL|O_WRONLY, 0400);
 	if (fd < 0)
 		err(ERROR_HSM_FILE, "Could not open new hsm_secret");
@@ -180,11 +184,12 @@ static int decrypt_hsm(const char *hsm_secret_path, const char *passwd)
 	/* Be as paranoïd as in hsmd with the file state on disk. */
 	if (!ensure_hsm_secret_exists(fd, hsm_secret_path)) {
 		unlink_noerr(hsm_secret_path);
-		rename("hsm_secret.backup", hsm_secret_path);
+		rename(backup, hsm_secret_path);
 		err(ERROR_HSM_FILE,
 		    "Could not ensure hsm_secret existence.");
 	}
-	unlink_noerr("hsm_secret.backup");
+	unlink_noerr(backup);
+	tal_free(dir);
 
 	printf("Succesfully decrypted hsm_secret, be careful now :-).\n");
 	return 0;
@@ -200,6 +205,10 @@ static int encrypt_hsm(const char *hsm_secret_path, const char *passwd)
 	u8 header[crypto_secretstream_xchacha20poly1305_HEADERBYTES];
 	/* The cipher size is static with xchacha20poly1305. */
 	u8 cipher[sizeof(struct secret) + crypto_secretstream_xchacha20poly1305_ABYTES];
+	const char *dir, *backup;
+
+	dir = path_dirname(NULL, hsm_secret_path);
+	backup = path_join(dir, dir, "hsm_secret.backup");
 
 	if (sodium_init() == -1)
 		err(ERROR_LIBSODIUM,
@@ -228,7 +237,7 @@ static int encrypt_hsm(const char *hsm_secret_path, const char *passwd)
 		err(ERROR_LIBSODIUM, "Could not encrypt the seed.");
 
 	/* Create a backup file, "just in case". */
-	rename(hsm_secret_path, "hsm_secret.backup");
+	rename(hsm_secret_path, backup);
 	fd = open(hsm_secret_path, O_CREAT|O_EXCL|O_WRONLY, 0400);
 	if (fd < 0)
 		err(ERROR_HSM_FILE, "Could not open new hsm_secret");
@@ -238,17 +247,18 @@ static int encrypt_hsm(const char *hsm_secret_path, const char *passwd)
 		|| !write_all(fd, cipher, sizeof(cipher))) {
 		unlink_noerr(hsm_secret_path);
 		close(fd);
-		rename("hsm_secret.backup", hsm_secret_path);
+		rename(backup, hsm_secret_path);
 		err(ERROR_HSM_FILE, "Failure writing cipher to hsm_secret.");
 	}
 
 	/* Be as paranoïd as in hsmd with the file state on disk. */
 	if (!ensure_hsm_secret_exists(fd, hsm_secret_path)) {
 		unlink_noerr(hsm_secret_path);
-		rename("hsm_secret.backup", hsm_secret_path);
+		rename(backup, hsm_secret_path);
 		err(ERROR_HSM_FILE, "Could not ensure hsm_secret existence.");
 	}
-	unlink_noerr("hsm_secret.backup");
+	unlink_noerr(backup);
+	tal_free(dir);
 
 	printf("Succesfully encrypted hsm_secret. You'll now have to pass the "
 	       "--encrypted-hsm startup option.\n");