@@ -10,6 +10,7 @@ import (

 	"os/exec"

 	"path/filepath"

 	"strings"

+	"sync"

 	"time"

 	"github.com/docker/distribution/reference"

@@ -630,16 +631,26 @@ func (s *DockerSuite) TestPushToCentralRegistryUnauthorized(c *check.C) {

 	c.Assert(out, check.Not(checker.Contains), "Retrying")

 }

-func getTestTokenService(status int, body string) *httptest.Server {

+func getTestTokenService(status int, body string, retries int) *httptest.Server {

+	var mu sync.Mutex

 	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

-		w.WriteHeader(status)

-		w.Header().Set("Content-Type", "application/json")

-		w.Write([]byte(body))

+		mu.Lock()

+		if retries > 0 {

+			w.WriteHeader(http.StatusServiceUnavailable)

+			w.Header().Set("Content-Type", "application/json")

+			w.Write([]byte(`{"errors":[{"code":"UNAVAILABLE","message":"cannot create token at this time"}]}`))

+			retries--

+		} else {

+			w.WriteHeader(status)

+			w.Header().Set("Content-Type", "application/json")

+			w.Write([]byte(body))

+		}

+		mu.Unlock()

 	}))

 }

 func (s *DockerRegistryAuthTokenSuite) TestPushTokenServiceUnauthResponse(c *check.C) {

-	ts := getTestTokenService(http.StatusUnauthorized, `{"errors": [{"Code":"UNAUTHORIZED", "message": "a message", "detail": null}]}`)

+	ts := getTestTokenService(http.StatusUnauthorized, `{"errors": [{"Code":"UNAUTHORIZED", "message": "a message", "detail": null}]}`, 0)

 	defer ts.Close()

 	s.setupRegistryWithTokenService(c, ts.URL)

 	repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)

@@ -651,7 +662,7 @@ func (s *DockerRegistryAuthTokenSuite) TestPushTokenServiceUnauthResponse(c *che

 }

 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnauthorized(c *check.C) {

-	ts := getTestTokenService(http.StatusUnauthorized, `{"error": "unauthorized"}`)

+	ts := getTestTokenService(http.StatusUnauthorized, `{"error": "unauthorized"}`, 0)

 	defer ts.Close()

 	s.setupRegistryWithTokenService(c, ts.URL)

 	repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)

@@ -664,7 +675,7 @@ func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponse

 }

 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseError(c *check.C) {

-	ts := getTestTokenService(http.StatusInternalServerError, `{"error": "unexpected"}`)

+	ts := getTestTokenService(http.StatusTooManyRequests, `{"errors": [{"code":"TOOMANYREQUESTS","message":"out of tokens"}]}`, 4)

 	defer ts.Close()

 	s.setupRegistryWithTokenService(c, ts.URL)

 	repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)

@@ -672,12 +683,13 @@ func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponse

 	out, _, err := dockerCmdWithError("push", repoName)

 	c.Assert(err, check.NotNil, check.Commentf(out))

 	c.Assert(out, checker.Contains, "Retrying")

+	c.Assert(out, checker.Not(checker.Contains), "Retrying in 15")

 	split := strings.Split(out, "\n")

-	c.Assert(split[len(split)-2], check.Equals, "received unexpected HTTP status: 500 Internal Server Error")

+	c.Assert(split[len(split)-2], check.Equals, "toomanyrequests: out of tokens")

 }

 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseUnparsable(c *check.C) {

-	ts := getTestTokenService(http.StatusForbidden, `no way`)

+	ts := getTestTokenService(http.StatusForbidden, `no way`, 0)

 	defer ts.Close()

 	s.setupRegistryWithTokenService(c, ts.URL)

 	repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)

@@ -690,7 +702,7 @@ func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponse

 }

 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseNoToken(c *check.C) {

-	ts := getTestTokenService(http.StatusOK, `{"something": "wrong"}`)

+	ts := getTestTokenService(http.StatusOK, `{"something": "wrong"}`, 0)

 	defer ts.Close()

 	s.setupRegistryWithTokenService(c, ts.URL)

 	repoName := fmt.Sprintf("%s/busybox", privateRegistryURL)