I base my images on other Docker Hub images that often expose ports in their Dockerfiles. I don’t want ports exposed in the base image to be “inherited” in my image.

How do I “unexpose” these inherited ports and replace with a list of ports appropriate for the new image?

I am afraid you inherit all EXPOSE, VOLUMES and ENV declartions from the parent. As far as I am aware USER, CMD and ENTRYPOINT can be overriden in a child Dockerfile - last declaration wins.

Though, you are always affected by the declared VOLUMES as their content will be stored outside your container. If you don’t take care about it yourself, you will end up with implicit created volumes with random cryptic names in /var/lib/docker/volumes/. If you don’t specify -v while docker rm, you will end up with orphaned volumes.

The inherited EXPOSE declarations are only published if your container runs with network=host or -P is used to expose all declared ports. On a bridge and overlay network, the delcarations are marely a hint… For those network types, it is up to you which ports you publish, regardles weather they are declared as EXPOSE or not.

If you don’t like what your parent images do, fork the Dockerfile, modify it for your needs and build a new image from it, then push it into an image repository . Use your new image as your parent image.